First Responders Guide to Computer Forensics

Richard Nolan Colin O’Sullivan Jake Branson Cal Waits

March 2005

CERT Training and Education

HANDBOOK CMU/SEI-2005-HB-001

Pittsburgh, PA 15213-3890

First Responders Guide to Computer Forensics

CMU/SEI-2005-HB-001

Richard Nolan Colin O’Sullivan Jake Branson Cal Waits

March 2005

CERT Training and Education

Unlimited distribution subject to the copyright.

This report was prepared for the SEI Joint Program Office ESC/XPK 5 Eglin Street Hanscom AFB, MA 01731-2100 The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of scientific and technical information exchange. FOR THE COMMANDER

Christos Scondras Chief of Programs, XPK This work is sponsored by the SEI FFRDC primary sponsor and the Commander, United States Army Reserve (USAR) Information Operations Command and USAR EIO. The Software Engineering Institute is a federally funded research and development center sponsored by the U.S. Department of Defense. Copyright 2005 Carnegie Mellon University. NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder. Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works. External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI Licensing Agent. This work was created in the performance of Federal Government Contract Number F19628-00-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site (http://www.sei.cmu.edu/publications/pubweb.html).

..................................................................................................... 11 Wiretap Act/Electronic Communications Privacy Act........................................................................ 15 Pen Registers and Trap and Trace Devices .6 SUMMARY ................................................1 1................Contents CONTENTS .............................................................................................................5...................................4...................................................5.............................................5............................32 2 MODULE 2: UNDERSTANDING FILE SYSTEMS AND BUILDING A FIRST RESPONDER TOOLKIT...........................................................................................3 1................................1 INTRODUCTION .......4......9 The 4th Amendment...................4.................. IX PREFACE ........................................2 U.............................4 LAWS THAT AFFECT CYBER SECURITY .....................................................28 1............................. XI ABSTRACT ................................2.....................................................................................................1 1..............................................2........................................................ V LIST OF TABLES............ I LIST OF FIGURES.2 FORENSICS ....................................................................................25 1............................................ XIII 1 MODULE 1: CYBER LAW.........................................................................................................................................................................2 FILE SYSTEM ARCHITECTURE ........3 Reliability....1 1...................1....12 1.........................................1..............2 1...2......................................2 1..................................25 1.....................................................4............. 26 1....................6 LEGAL GOVERNANCE RELATED TO MONITORING AND COLLECTION ............................................................................33 2..........................27 1....................................................................................................36 CMU/SEI-2005-HB-001 i .....................................................................................................1..........1 MODULE 1 OBJECTIVES .........................................................................................7 REVIEW ....4 1.. 18 Stored Wired and Electronic Communications Act......................1 1.........................................................4................................................................4 The Best Evidence Rule............................................35 2...............................5........................2 1...............2 Authentication.................................................................4....................................................1 Hearsay...5 LEGAL GOVERNANCE RELATED TO ADMISSIBILITY (FEDERAL RULES OF EVIDENCE)..........................................1 1....................................................................................31 1............ 21 1.................................................................................................3 Computer Forensics................................................2.....1 Exceptions...................................................................1 Physical Look at the Hard Drive ...30 1....................................................................................................................................4..................................................5.........................................................S........9 Constitutional Issues...... Statutory Law.. 9 The 5th Amendment.................................................33 2...3 1.............................2............

..................................8............................................................................4 2..2 3..............................................................................2.......2.......2...................6 2................................3...........3..................................3............................................4 3..............2.............3.................6 3..........................66 2.........................................13 Duplication Tools........11 Commonly Used Terms ..........................................................................................................15 DoD Directive 5220-22M.............................................................................3 Methodology for a Creating First Responder Toolkit....................................................................2 INTRODUCTION .........................38 Understanding Windows File Structure....................................37 Importance of File Systems .........................................................................2..............8 3................83 REVIEW ............................ 48 2..........7 3.....1 3......................................... Slack.................2 2.............5 2.....................................................................................................................................................................................................3.85 OBJECTIVES ..................17 Other Storage Devices...........1 2.........2.........................................1 3.................................1 2.................3 2...............................................12 Forensically Sound Duplication.5 3 SUMMARY .....................................7 2........................................................................................................2 2....................................................................................................................64 2.............3..................................46 Swap File.......3 2......................1 Statically....................................2............. 80 NIST Methodology ..................................................41 NTFS: New Technology File System..................................................8..... and Unallocated Space.................61 2......................39 FAT: File Allocation Table ....................................................................................49 2.....2..........................2...5 3........... 81 2................93 VOLATILE DATA COLLECTION METHODOLOGY .............58 2...2...................2...4 2....................57 2...............................2..................................2 2..........3 3.................62 2..............14 Wiping Storage Devices .......................................................................................................56 2............................................ 75 Benefits of Proper Tool Testing.............85 3...........3....................................94 Step 1: Incident Response Preparation.......8.................3...........................9 Linux File System Basics......................2..............3 FIRST RESPONDER TOOLKIT ............................................................................6 Create a Forensic Tool Testbed .10 Boot Sequence ........................................87 ROLE OF A FIRST RESPONDER ..........................................................2......3 2..........54 2........................................3.....................................8....................... 47 Slack Space....................3..............................................................59 2...................................5 2...2.........89 ORDER OF VOLATILITY................................................................ 47 Unallocated Space.......................... Dynamically-Linked Tools..............................................................2......................................2...2 Problems with Dynamically-Linked Executables...........................vs.............8..............................2...............................................................3............. 72 Document and Set Up the Forensic Tools...............2.............2..88 WHAT IS VOLATILE DATA? ................................................3...................................................................................................................................................................3..................8 Types of Hard Drive Formatting......68 2..60 2....................63 2...............................................................................................................................3............ 69 Document the Testbed ........................ 73 Test the Tools ....................................95 Step 2: Incident Documentation.....................84 MODULE 3: COLLECTING VOLATILE DATA ...........................................92 COMMON FIRST RESPONDER MISTAKES ...................................47 Swap File .43 Windows Registry..............................................................16 Hard Drives.......................4 2..............96 ii CMU/SEI-2005-HB-001 ..................91 WHY IS VOLATILE DATA IMPORTANT?.......3......................

............................................................................. 167 NTFS...3.10 3.......................................... 167 Windows... 111 Running Processes ................................. 97 First Responder Toolkit Logbook ......... 113 Open Files.......................... Startup Files.................................................2 Volatile Network Information ........3 4..........1 OBJECTIVES ..........1....................6 Step 6: Volatile Data Collection Process ......3 3............................................5............2 3......2 4......3 Incident Profile.......11 4 SUMMARY ........................................... 169 4....................9...............................................................................................7 System Profile............................................................................9.......................................................................................1 3........................... 148 Routing Information...4 3....9...........................................................................................2.....................................1.......8....1 4.................................. 105 Current System Date and Time and Command History ....... 147 3........................9..............6.......... 101 3....................................................... 135 DLLs or Shared Libraries............ 167 Ext2/3..........................................................2 3...........................................5 3.....1 3............1 4.......8... 168 4................................................................... 168 4................................. 166 OS AND APPLICATION CONSIDERATIONS ......................................................... 161 What Problems Exist in Investigating Persistent Data? ......... 163 Consequences of Responses..................................................................................... 154 3...................................1.................3.....................................5................5................. 102 3....9............................6 3.........................2 Linux/UNIX................ 161 Why is Persistent Data Important?......8..................................................................................... 164 BASIC BUILDING BLOCKS OF DISK STORAGE ...2.......................................................5..............................8..........................................9........ 100 Establish a Trusted Command Shell .......................................9................................. 109 Current System Uptime............5 4................... 161 What Is Persistent Data? .......................................... 159 4...........................................................................1......................4 3.................2...............1 To Shut Down or Not to Shut Down… .............3 4..1 4..................98 Step 4: Volatile Data Collection Strategy................................... 158 MODULE 4: COLLECTING PERSISTENT DATA ....................................................2.............. 161 RESPONDING TO A SECURITY EVENT ...........................1 4.................1.................6 COLLECTING FORENSIC EVIDENCE ....................................9.................................... 171 CMU/SEI-2005-HB-001 iii ............................ and Clipboard Data .......8....... 167 FAT...............2................. 122 Logged On Users .8.......................2................................... 157 REVIEW .........1.........................8.................. 168 4...............................5.............................8....................................................................................9 TYPES OF VOLATILE INFORMATION................................1.................5................................................................9.......................................3 3.................1 Volatile System Information.................................9.......................2.................9...................3 Operating Systems ................5 Step 3: Policy Verification .........................99 Step 5: Volatile Data Collection Setup ...........................................5...................... 97 3................. 103 3........2....................5.........2 4...........................................................................1 4.............................................................. 100 Establish a Method for Transmitting and Storing the Collected Information.......................................4 4...............................1 3.....5.......1........................2...........................................................................................................................8.....................................................1............................................... 143 Open Connections and Ports ................................ 96 Forensic Collection Logbook...............................................2 3.....8...................... 104 3..............1 3................................................. 160 INTRODUCTION TO PERSISTENT DATA ..........................2 4............2 3.....3 3...................... 100 Ensure the Integrity and Admissibility of the Forensic Tool Output..............

...........................................................................................2 Windows.......173 4.........4.................................................................. 188 Commercial .................................................................................................3 4..1 4.................................. 178 IE Default Locations.............................7.3...............................5 Hidden Files........................2 Creating a Disk Image Using dd...........................................................................................................7 PERSISTENT DATA TYPES .....7.................6.........................................................4........................................................9..........................................................................................1...............................2 4.................. 189 Freeware ....1 4......................1......................................................... 174 4..................................2 4................ 184 Windows Artifacts ......4............................................... 178 Alternative Browsers ............................ 189 4....1.....................................................................................................7....11 SUMMARY ...................187 4........................................................................3..............................................................................................................188 4......................................................192 REFERENCES.................7................2...........191 REVIEW ...........8 RECOVERING A DELETED EMAIL .......1...................193 iv CMU/SEI-2005-HB-001 ...................................................1........................1 4..................................1 System Files ...............................................9.............................7.......................7....................................9....................................2 4.........................................................................2 UNIX/Linux ......................9...............................................3 4................ 183 Slack Space....................................................172 4..................................5 4.................1 4.....6 4.........2 4...........3...............4..... 182 Deleted Data .................................................................................. 173 UNIX/Linux..............176 Web Artifacts.......2...............................7....189 4.............................................4......1 Windows................................................................ 185 4.......7..........188 4.................................................................................7...................................................................................................186 4.........2 4......................9................................................................ 184 Swap Files........................................................................................................3................................................... Linux ..................................................4........................................................................4 4.....................................178 Windows vs..........4...................................................3 Command-Line Tools ...7...................................7.7....................7........173 4........................ 181 Cookies ............................... 189 Command-Line Tools .....................3 Temp Files...183 4... 184 Unallocated Space..................3 4................................................7............................9..................7............9 TOOLS FOR ACCESSING PERSISTENT DATA............................7............... 188 GUI-Based Utilities ...9......................4 4............ 184 Partial Files ..................... 189 GUI-Based Utilities .......10 4........................................................9..............................7..............................................................................................................................4 File Recovery .1 4..........2..................................................................

...........................................111 Figure 15: The net statistics Command................................................................................................................................................................................................ 115 Figure 19: Using PsList to Determine How Long a Process Has Been Running ........................................................ 66 Performing a Cryptographic Hash of Installed DLLs .....................................................................................................................................................................List of Figures Figure 1: Figure 2: Figure 3: Figure 4: Figure 5: Figure 6: Figure 7: Figure 8: Figure 9: Mapping of DoD and OSI Models.... 115 CMU/SEI-2005-HB-001 v ..................... 106 Figure 10: The PsInfo Command .............. 107 Figure 11: The cat Command.. 108 Figure 13: date and time Commands Used with netstat............... 54 The ldd Command......... 42 Types of CMOS Batteries........................................................................................... 107 Figure 12: The uname Command.................................................................. 109 Figure 14: The PsUptime Command ............................................ 76 An MD5 Hash .... 14 Logical Layout of the FAT32 File System ........................................ 112 Figure 17: Using netstat –ab to Determine Process Executable Image ................................................................................................................................ 64 Using Filemon to Identify Dependencies.............................................................................. 115 Figure 18: Using ListDLLs to Determine Command Line .................................. 70 A Regmon Listing ..... 101 The systeminfo Command ........... 112 Figure 16: The uptime and w Commands .........................................................................

........................................... 125 Figure 32: Autorunsc ......................117 Figure 25: A Process Memory Dump ... 131 Figure 42: The lsof +L1 Command.................................................................... 129 Figure 38: lsof +D.............................................................................................................................................................................................................119 Figure 27: The w Command.......................................................................................116 Figure 23: tlist.............................................. 120 Figure 29: The dir Command ....................................................................................................................................................................................................... 124 Figure 31: MACMatch ..........................................................................exe ........................ 126 Figure 34: Handle.......................................................................117 Figure 24: PsList ................................. 127 Figure 36: The ls Command............ 127 Figure 35: Pclip ............................................ 128 Figure 37: Using ls – alct to Show Last Modification Date and Time ................................................................ 130 Figure 40: The find Command..... 130 Figure 41: The locate Command....... 125 Figure 33: PsFile ........... 131 vi CMU/SEI-2005-HB-001 ........................................119 Figure 28: The ps Command.......................................... 130 Figure 39: lsof -i....................Figure 20: Using PsList to Determine How Much Virtual Memory a Process Is Using116 Figure 21: Using ListDLLs to Discover the Currently Loaded DLLs for a Process.............................................................................................................................................................................................................................................. 123 Figure 30: The afind Command....................................................................118 Figure 26: The top Command ..............................................................................................................116 Figure 22: Pulist Output..........................................................................................................................................................................................................................................

................... 136 Figure 48: The net user Command.. 145 Figure 59: The ldd Command................................................................................................................... 151 Figure 65: The net Command.............................. 133 Figure 44: The Inittab File........................................................................................................................................................................................................................ 134 Figure 45: A Cron Log ................................... 149 Figure 62: PsService ......................................................................................................................................... 150 Figure 64: The netstat –anb Command.............. 150 Figure 63: PromiscDetect................................................................................................................. 139 Figure 53: The last Command ........................ 146 Figure 61: Fport ............ 142 Figure 57: Using ListDLLs Without Options to Produce a List of DLLs ... 141 Figure 56: The cat shadow Command .................................... 138 Figure 51: The who –uH Command ......... 144 Figure 58: Using ListDLLs to Examine a Suspected Rogue Process............................................................................................................................................................................................................ 140 Figure 54: The w Command ......................................................................... 134 Figure 46: Netusers ..............................................Figure 43: The chkconfig –list Command ................................. 145 Figure 60: The ls Command ...... 141 Figure 55: The cat /etc/passwd Command............................................................................. 139 Figure 52: The who –q Command ............................................................................... 136 Figure 47: PsLoggedOn ................................................................................................................................................................................... 137 Figure 49: NTLast................................. 137 Figure 50: DumpUsers ............................ 152 CMU/SEI-2005-HB-001 vii ........................................................................................................................................................................................................................

............................................ 174 Figure 76: Sample Temp Folder Contents.................... 153 Figure 69: The Windows netstat –r Command........................... 180 Figure 80: The IE Default Location for Web Cache................................. 179 Figure 78: The IE Default Location for Cookies ............................................................................................. 155 Figure 71: The Linux netstat –rn Command ...................................................................................................................... 153 Figure 68: The ifconfig Command ....................................... 155 Figure 70: The Windows arp Command................................................ 179 Figure 79: The IE Default Location for URL History .... 176 Figure 77: The IE Default Location for Bookmarks ..................................................................................... 152 Figure 67: /var/log/messages .................................................... 180 Figure 81: The Default Location for Outlook Email Files................................................Figure 66: The netstat –anp Command................................................ 187 viii CMU/SEI-2005-HB-001 ........................................................................................................ 166 Figure 74: dd Syntax ...................................................................................................................................... 156 Figure 73: Sectors and Clusters........................ 156 Figure 72: The Linux arp –a Command...................... 172 Figure 75: The TypedURLs Folder ..................................................

............................................. 118 w Command Output Fields..................... 120 A Subset of ps Options............................................................... 123 Common ls Parameters......................................................................................................List of Tables Table 1: Default Cluster Sizes for Volumes with Windows XP Professional File Systems.............................................................. 129 Table 2: Table 3: Table 4: Table 5: Table 6: Table 7: CMU/SEI-2005-HB-001 ix ............................................... 121 dir Command Options .......................................... 120 Output Headings for ps and top ............................................................................... 40 PsList Output Headings.......................................................

x CMU/SEI-2005-HB-001 .

computer forensics. but will discover new approaches and methods. and survivability of IT and network infrastructures. CMU/SEI-2005-HB-001 xi .Preface This handbook targets a critical training gap in the fields of information security. In today’s networked world. integrity. and know how routine actions can adversely affect the forensic value of data. Knowledgeable first responders apply good forensic practices to routine administrative procedures and alert verification. This awareness will greatly enhance system and network administrators’ effectiveness when responding to security alerts and other routine matters. lack of preparation. The primary objective is to educate and motivate system and network administrators to approach both routine and unusual events in a safe forensic manner. For instance. This capability is a crucial and an often overlooked element of defense-in-depth strategies for protecting the availability. This handbook is designed to familiarize experienced system and network computer professionals with the fundamental elements of computer forensics and build on their existing technical skill set. The experienced security professional will encounter little in the way of new technical information contained in this material. it is essential for system and network administrators to understand the fundamental areas and the major issues in computer forensics. and incident response. When they understand the importance of their role as a first responder. and the common practice of returning the corrupted live system to its original state by either a fresh software installation or a system reboot. the safety and effectiveness of an organization’s use of computer forensics will be greatly enhanced. The authors would like to thank Bill Spernow of Experian for taking the time to review this handbook and share useful insights about the handbook’s intended audience. the step of collecting data from a live system is often skipped because of time constraints.

xii CMU/SEI-2005-HB-001 .

The first module describes cyber laws and their impact on incident response. This handbook was developed as part of a larger project. It targets a critical training gap in the fields of information security.. The incorporated slides are from the five day hands-on course Forensics Guide to Incident Response for Technical Staff developed at the SEI. It also explains the importance of collecting volatile data before it is lost or changed. The handbook should help the target audience to • • • • • understand the essential laws that govern their actions understand key data types residing on live machines evaluate and create a trusted set of tools for the collection of data collect. able to withstand the scrutiny of the courts) Each module ends with a summary and a set of review questions to help clarify your understanding. computer forensics. A live machine is a machine that is currently running and could be connected to the network. and procedures for applying fundamental computer forensics when collecting data on both a live and a powered off machine.e. The fourth module reviews techniques for capturing persistent data in a forensically sound manner and describes the location of common persistent data types. techniques. and any information security practitioners who may find themselves in the role of first responder. CMU/SEI-2005-HB-001 xiii . The second module builds understanding of file systems and outlines a best practice methodology for creating a trusted first responder tool kit for investigating potential incidents. and tools for collecting volatile data from live Windows and Linux systems. preserve. and incident response: performing basic forensic data collection. The third module reviews some best practices. The target audience includes system and network administrators. Our focus is on providing system and network administrators with methodologies. tools.Abstract This handbook is for technical staff members charged with administering and securing information systems and networks. law enforcement. and protect data from live and shut-down machines learn methodologies for collecting information that are forensically sound (i.

xiv CMU/SEI-2005-HB-001 .

1 Module 1: Cyber Law

Forensics Guide to Incident Response for Technical Staff
Module 1: Cyber Law

CERT® Training and Education
Networked Systems Survivability Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890
© 2005 Carnegie Mellon University ® CERT, CERT Coordination Center, and Carnegie Mellon are registered in the U.S. Patent and Trademark Office This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees.

Module 1: Cyber Law discusses aspects of federal laws that affect computer security professionals. The objective is to motivate security professionals to frame and consider their technical actions in the context of existing legal governance. Throughout this module several complex legal issues are reviewed briefly. While many of these issues could occupy an entire course, our goal is to expose the reader to topical areas of cyber law and raise awareness of how these laws could potentially impact their actions. Additionally, many scenarios are presented in a technical setting that demonstrates the impact of cyber laws. Scenarios are meant to help the reader understand the potential application and implications of cyber laws, and not as a definitive interpretation of the law. Every effort has been made to represent the laws accurately; however, this document is not an authoritative legal guide.

CMU/SEI-2005-HB-001

1

Objectives
• • Understand the role of a system administrator as a first responder to a security incident Understand the fundamentals of cyber laws: 1. The Wiretap Act 2. Pen/Trap and Trace Statute 3. Stored Electronic Communication Act Understand the impact of cyber laws on incident response Understand the fundamental areas of legal scrutiny that confront first responders to a security incident
© 2005 Carnegie Mellon University Module 1: Cyber Law

• •

1.1

Module 1 Objectives

The above slide lists the four primary objectives for Module 1, “Cyber Law.”

2

CMU/SEI-2005-HB-001

F or en sics a n d Com pu ter F or en sics
History of Forensics / Computer Forensics
1200 1300 1400 1500 1600 1700 1800 1900 2000

1248 C.E. Hi DuanYu “The Washing Away of Wrongs”

1892 C.E. Fingerprint Identification

1921 C.E. Polygraph Test Developed

1930 C.E. First Physical Forensic Lab Established

1950 C.E. First Computer Developed (ENIAC)

1986 C.E. ECPA

2002 C.E. FISMA Mandates Incident Response Capabilities

1984 C.E. Computer Forensic Experts

1989 C.E. First Person Indicted Under Title 18 Section 1030 (“Morris”)

1991 C.E. FBI CART Team Established

1996 C.E.DNA Evidence First Used at Trial in U.S.

© 2005 Carnegie Mellon University

Module 1: Cyber Law

1.2

Forensics

Forensics is the process of using scientific knowledge in the collection, analysis, and presentation of evidence to the courts. The word forensics means “to bring to the court.” Forensics deals primarily with the recovery and analysis of latent evidence. Latent evidence can take many forms, from fingerprints left on a window to DNA evidence recovered from blood stains. Forensics takes scientific knowledge and methods and combines them with standards of law for the purpose of recovering and presenting at court evidence related to a crime. The field of forensics has developed over many centuries. The earliest record of forensics dates back to 1248 C.E., when a Chinese physician named Hi Duan Yu wrote The Washing Away of Wrongs. Yu presented the anatomical and medical knowledge of the time as it related to law, such as the difference between drowning, strangulation, and death by natural causes.1 Fingerprint identification was not used and understood until 1892. The first forensic lab was established in the United States in 1930. DNA evidence was first used as evidence at a trial in 1996.2 Although forensics has developed into a well-documented and disciplined field of study with many levels of certifications, it is always changing. As scientific knowledge and practices expand, so too will the processes of forensics. Nevertheless, forensics will always lag behind

1 2

http://www.mdpd.com/astmhtm.html http://www.crimtrac.gov.au/dnahistory.htm
3

CMU/SEI-2005-HB-001

the advances of science in some way. An example is DNA evidence—DNA typing was understood and utilized in the 1980s in New Zealand, but did not appear as evidence in the U.S. courts until 1996. Considering that modern forensics has had almost six decades to develop in the U.S. courts and 800 years as a discipline, the specialized field of computer forensics, in comparison, is still in its infancy. It should come as no surprise, then, that there is very little standardization and consistency across the courts and industry in the area of computer forensics, as a result it is not yet recognized as a formal “scientific” discipline.

1.2.1 Computer Forensics
Computer forensics can be defined as the collection and analysis of data from computer systems, networks, communication streams (wireless) and storage media in a manner that is admissible in a court of law. It is a merger of the disciplines of computer science and the law. This definition applies to the collection of information in real time, as well as the examination of latent data. Here is what others have to say about the definition of computer forensics: “Computer forensics” can thus not afford solely to concern itself with procedures and methods of handling computers, the hardware from which they are made up and the files they contain. The ultimate aim of forensic investigation is use in legal proceedings [Mandia 01]. The objective in computer forensics is quite straightforward. It is to recover, analyze and present computer based material in such a way that it is useable as evidence in a court of law [Mandia 01]. The key phrase here is “useable as evidence in a court of law.” It is essential that none of the equipment or procedures used during the examination of the computer obviate this single requirement.3 At one time, computer forensics dealt exclusively with persistent data—data that is stored on a local hard drive or other medium and is preserved when the computer is powered off—and was the sole domain of law enforcement. In this age of interconnected networks, however, the examination and collection of volatile data is becoming more important. Volatile data is any data that is stored in memory, or in transit, that will be lost when the computer loses power or is powered off. Volatile data resides in registries, cache, and random access memory (RAM). Since the nature of volatile data is effervescent, collection of this information will likely need to occur in real or near-real time.

3

http://www.dibsusa.com/methodology/methodology.html
CMU/SEI-2005-HB-001

4

gov/ocr/hipaa/) Sarbanes-Oxley Act of 2002 (http://frwebgate. there are not nearly enough forensic investigators available to respond to every crime scene to collect. Almost always. etc.5 California Act 1798. is almost always conducted on a live machine.cgi?dbname=107_cong_public_laws&docid=f:publ204.html 5 CMU/SEI-2005-HB-001 . the collector authenticates the collected evidence and the expert testifies to its significance. attempted breach. fibers.ca.vnunet.gov/cgibin/getdoc.php/3085471.com/it_res/print. when a security breach or monitoring alert occurs.htm). criminally liable for breaches in the security or integrity of computer networks and systems.7 In fact. At trial. System administrators and security personnel must possess a basic understanding of how routine administrative tasks can affect both the forensic process (the potential admissibility at court) and the subsequent ability to recover data that can potentially be critical to the identification and analysis of a security incident. companies are not only trying to protect themselves from Internet-related threats but are also dealing with compliance and liability concerns related to these laws. with the rapid expansion of the Internet and the introduction of recent legislation such as HIPAA. http://itmanagement. which all report on the security status of networks to some degree in real time or near-real time.) from crime scenes in a forensically sound manner. Contrary to the impression given by popular television shows.earthweb.access. system administrators are often the “first responders” at potential “crime scenes.com/news/1150059.4 Sarbanes-Oxley.” It is critical that they possess the technical skills and ability to preserve critical information related to a suspected security incident in a 4 5 6 7 Health Insurance Portability and Accountability Act of 1996 (see http://www. verification is required to determine whether the alert is a false positive or is in fact an indication of some breach. or before the courts. So much of security is focused on locking down and monitoring systems that an often overlooked area is how information and evidence related to the alerts are technically handled. As a result. http://www. This division of labor is also needed in the discipline of computer forensics. many law enforcement officers are being trained to process and collect evidence (fingerprints. some sort of verification needs to happen. This verification.Also. in some cases.45 billion dollars in 2006.com/csoresearch/report50. all of which hold businesses civilly and. proxies.privacy.107. process. A qualified investigator then analyzes the evidence and makes conclusions at a later time..gpo. Like law enforcement officers. often a form of routine administrative task. These are relatively well-known trends in the IT community. International Data Corporation (IDC) has reported that the market size for intrusion-detection and vulnerability-assessment software will reach 1. and deals with volatile data.pdf).hhs. Information Practices Act of 1977 (http://www.csoonline. etc.gov/code/ipa. Several current writings point to the fact that companies are allocating more of their IT budgets towards security. These factors and others have increased the deployment of network security devices such as intrusion detection systems (IDS). or incident. http://www. firewalls. and analyze evidence. No matter what type of alert is generated.6 and others.

This skill set is not easily acquired.8 Here all the recent court cases can be reviewed.C. and is the subject of many courses of study. La ws th a t Affect Cyber S ecu r ity -1 U. No. COUNCILMAN. new court rulings are handed down that affect how computer forensics is applied. BRADFORD C. Constitution 4th Amendment 5th Amendment U.cybercrime. §§ 3121-27 Federal Rules of Evidence Hearsay Authentication Reliability Best Evidence © 2005 Carnegie Mellon University Module 1: Cyber Law 1. much of the protection [of the Wiretap Act] may have been eviscerated by the realities of modern technology. We observe. One recent court case. has a couple of interesting aspects: (1) it is a landmark case in that it could fundamentally change the way emails are dealt with and (2) the courts acknowledge that they are “wrestling with the antiquated nature of some of the laws. at this juncture. The best source of information in this area is the United States Department of Justice’s Cyber Crime Web Site. §§ 2701-12 18 U. §§ 2510-22 18 U.” Circuit Judge Juan R.C. Torruella wrote this in his summary: Moreover.gov CMU/SEI-2005-HB-001 6 .S. that the language may be out of step with the technological realities 8 http://www. 03-1383 UNITED STATES OF AMERICA. Almost daily. as well as numerous guides on the introduction of computer evidence in court and what standards apply. legal precedents.S. Defendant.S.S. Statutory Law 18 U. as most courts have. Appellant.C. and practices related to computer forensics are in a state of flux. Appellee.3 Laws that Affect Cyber Security Computer forensics is a relatively new discipline to the courts and many of the existing laws used to prosecute computer-related crimes. v. United States Court of Appeals for the First Circuit.S.forensically sound manner and that they be aware of the legal issues that govern their actions.

The outcome of this case was that the court did not believe that emails are protected by the Wiretap Act under the Store Communication Section when they are in temporary file storage at various locations along their delivery route. nor will their training ever make them so. 9 10 http://www. by Jonathan B. keep in mind that this module is meant not to be a course in legal studies but rather to serve as an introductory exposure to major legal governance issues that affect system administrators and network security personnel. Postel (see http://www.01A RFC 821.pl?OPINION=03-1383.uscourts.ca1. the dissenting judge uses sections of an RFC on emails10 and other very technical information and expresses two things: (1) that the current law was never intended to be applied to this type of technology and (2) that the “intent” of the law only protects email while it is being transmitted from sender to receiver. To use a training analogy from law enforcement. Constitution and the several exceptions to them. an interesting dissenting opinion was presented. Although the court ruled in favor of the defendant.org/rfcs/rfc821. This same model needs to be applied to system administrators and network security personnel. police officers are not lawyers.of computer crimes.faqs.S. but rather that they should be aware of and understand the fundamental legal issues governing their actions. police officers receive training in legal areas that authorize their actions and govern their responses.9 The appeal was over whether email should be considered stored electronic communication or whether it should considered transmitted electronic communication.html). police officers all have a fundamental understanding of the restrictions of the 4th and 5th Amendments of the U. Essentially. 7 CMU/SEI-2005-HB-001 . Again. For example. This is not to say that they should try to function as law enforcement.gov/cgi-bin/getopn. however. This is because these two amendments have significant impact on how law enforcement officers conduct themselves. This particular appeal reflects how the Courts are wrestling with the antiquated nature of some of the laws governing electronic communications.

S. In the United States of America. 3.S.S. §§ 3121-27 Federal Rules of Evidence Hearsay Authentication Reliability Best Evidence © 2005 Carnegie Mellon University Module 1: Cyber Law Three areas of law related to computer security will be examined: 1. the U.S.C. §§ 2701-12 (Real Time) 18 U. while the Federal Rules of Evidence deal primarily with admissibility.C. Statutory Laws primarily govern the collection process. Of the three areas above. §§ 2510-22 18 U.C.C.C. This is not a comprehensive review of these legal areas but rather a summary review of key aspects that will likely affect the actions of system and network administrators.S. 8 CMU/SEI-2005-HB-001 . Statutory Law − 18 U.S. there are two primary areas of legal governance affecting cyber security actions related to the collection of network data: (1) authority to monitor and collect the data and (2) the admissibility of the collection methods.S.S. Constitution − 4th Amendment “Protection against unreasonable search and seizure” − 5th Amendment “Protection against self incrimination” U. U. Constitution 4th Amendment U. 2701-12 (The Stored Wired and Electronic Communication Act) Federal Rules of Evidence − − − − Hearsay Authentication Reliability Best Evidence 2. 3121-27 (The Pen Registers and Trap and Trace Devices Statute) − 18 U.C.S.La ws th a t Affect Cyber S ecu r ity -2 Authority to Monitor & Collect Admissibility of Collection U.S. Statutory Law (Stored Data) 18 U. 2510-22 (The Wiretap Act ) − 18 U. Constitution 5th Amendment U.S.S. Constitutional and U.S.

houses.4 Legal Governance Related to Monitoring and Collection A key point to remember when considering these amendments is that they were written some two hundred years ago and are now being applied to a technology that could not be imagined by the original authors.1 Constitutional Issues 1.La ws th a t Affect Mon itor in g a n d Collection -1 U. Constitution (only limits government action) 4th Amendment: Protection against unreasonable search and seizure Katz Standard: 1. It does not extend protection from searches conducted by private parties who are not acting as agents of the government. and no Warrants shall issue.4. and effects. under the 4th Amendment.4. 1. Viewed by society as reasonable 5th Amendment: Protection against self incrimination Encryption and private keys © 2005 Carnegie Mellon University Module 1: Cyber Law 1.1.S. or under the direction of a government agent. supported by Oath or affirmation. shall not be violated. and the persons or things to be seized. but upon probable cause. Subjective expectation of privacy 2. and particularly describing the place to be searched. The question is whether or not your organization can be considered as “government”.1 The 4th Amendment The 4th Amendment to the United States Constitution is as follows: The right of the people to be secure in their persons. a bright line is a rule that clearly and unambiguously delineates what is so CMU/SEI-2005-HB-001 9 . There isn’t always a bright line answer to that question (in law. papers. against unreasonable searches and seizures. The 4th Amendment protects individuals from unreasonable searches and seizures conducted by agents of the government.

83233 (S. deemed inadmissible by the courts.findlaw. that information/evidence and all information/evidence subsequently obtained or discovered as a result of the original information/evidence will be suppressed. they are the fundamental questions asked by the 4th Amendment. 11 http://www. (2) the level of expected privacy is substantially less outside of the home. United States. if information or evidence is collected in a way that is determined to have violated the 4th Amendment. i. 362 (1967). If in doubt. Department of Justice Manual:11 When confronted with this issue. 456 U. 822-23 (1982). courts rely in part on the Katz test (Katz v. Barth. the following site is a good place to start: http://caselaw.).and what is not).N. Because individuals generally retain a reasonable expectation of privacy in the contents of closed containers.cybercrime. etc.V. they also generally retain a reasonable expectation of privacy in data held within electronic storage devices. Lynch. Also. To explore a more detailed analysis of the issues surrounding the 4th Amendment.I.” The 4th Amendment has been applied to information technology in a number of cases. Reyes. However. What system administrators and network security personnel need to understand is that individuals may enjoy a certain amount of privacy in the electronic world (emails. 287 (D.Y. courts have analogized electronic storage devices to closed containers. 1998) (finding reasonable expectation of privacy in files stored on hard drive of personal computer). See United States v. Tex. 284. 922 F.lp. and (3) protections (privacy) enjoyed from the 4th Amendment are dissolved when the item protected by this amendment is lost or otherwise ends up no longer in the custody of the owner. only that of the government. Accordingly. and have reasoned that accessing the information stored within an electronic storage device is akin to opening a closed container. 818. The following is an excerpt from a U.S.e. see United States v. 1996) (finding reasonable expectation of privacy in data stored in a pager).. 2d 929.S. In general. 93637 (W.S.gov/s&smanual2002. The Katz test outlines two questions: (1) Does the individual’s conduct demonstrate a (subjective) expectation of privacy? and (2) Would society be prepared to recognize this as reasonable? These questions allow for a range of interpretations and are the subject of a significant amount of case law. 347. the U. This is known as the “fruit of the poisonous tree doctrine.D. stored files. Supp. although not eliminated.D. organizations should always seek the advice of legal counsel in determining the answer. the principles set forth by the 4th Amendment provide for individuals to enjoy a “reasonable expectation of privacy. accessing information stored in a computer ordinarily will implicate the owner’s reasonable expectation of privacy in the information.htm CMU/SEI-2005-HB-001 10 . Some other key points are (1) the 4th Amendment does not apply to or restrict the conduct of private individuals. 908 F. United States v. Ross. 798.S. Supp. 26 F. United States v. Supp. 1995) (same).” In determining what is a reasonable expectation of privacy.com/data/constitution/amendment04/. 389 U.

The word “memorized” is an important qualifier. 1993) (same).html#h1 CMU/SEI-2005-HB-001 11 . Remember. 830 F.”). 1990) (“[A]n individual has the same expectation of privacy in a pager. at *21 (E. The core issue related to computer forensics is that under current jurisprudence the 5th Amendment’s protections against self incrimination extend to cryptographic keys. Cal. United States v.D. 531. Blas. Its protections do not extend to existing written and/or documentary evidence.D.United States v.org/crypto/legis_105/mccain_kerrey/const_impact. the 5th Amendment only protects an individual from being compelled to provide incriminating testimony. This affects system or network administrators because if encrypted files are found during a collection or examination of a system or network. 1. 535 (N. however. Wis. computer.html http://law. or other electronic data storage and retrieval device as in a closed container.2 The 5th Amendment The 5th Amendment provides that No person shall be compelled in any criminal case to be a witness against himself. For more details (in significant depth).cdt.1. Supp. 4. Dec. “Under the Fifth Amendment. little can be done to force an individual to decrypt them. visit the following Web sites: • • http://www. Chan. 1990 WL 265179. meaning that the key (passphrase) was never written down. an individual cannot be compelled to testify to his or her memorized key” [CDT 04].richmond.edu/jolt/v2i1/sergienko.4.

S. two deal with real-time electronic communications (18 U. Of these three statutes. 12 CMU/SEI-2005-HB-001 .S. §§ 3121-27) and the other (18 U.4.La ws th a t Affect Mon itor in g a n d Collection -2 U. Statutory Law 18 U. §§ 3121-27 18 U.C. §§ 2510-22 and 18 U. violations of these statutes could constitute a federal felony punishable by a fine and/or prison. as well as provide technical scenarios illustrating the exceptions to these statutes as they affect the actions taken by system administrators and network security personnel.S. §§ 2510-22 Wiretap Act 18 U.C. Statutory Law There are three U.S.S.C.C.2 U.S.S.C.S.C.C. Cyber Law Content Stored Communication Non-Content © 2005 Carnegie Mellon University Module 1: Cyber Law 1. Absent these exceptions. §§ 2701-12 Pen/Trap and Trace Stored Electronic Communication Act Content Real-Time Communication Non-Content U.S. §§ 2701-12 Wire and Electronic Communications Interception and Interception of Oral Communications Pen Registers and Trap and Trace Devices Stored Wire and Electronic Communications and Transactional Records Access This section will highlight the intent and purpose of these statutes.C. §§ 2510-22 18 U.S.S. §§ 3121-27 18 U.S.C. statutes that potentially impact the techniques used by system administrators and network security personnel during the collection of computer records and other digital evidence in response to a security incident: • • • 18 U.S. §§ 2701-12) deals with stored electronic communications.

CMU/SEI-2005-HB-001 13 . §§ 2510-22 Wiretap Act Non-Content 17 Bytes Layer 2 Header Content 20 Bytes Layer 4 Header Data 20 Bytes Layer 3 Header Layer 2 Header Contains information such as Ethernet SRC addr: 80:00:20:fa:b2:36 Ethernet DESC addr: 20:00:15:45:3f:f3 It also contains information about how much data there is to carry.6. §§ 3121-27 Pen/Trap and Trace 18 U. and 4 information and the Wiretap Act deals with Layer 5. Non-Content 18 U. Layer 1: Physical This is the physical wire that carries the electronic pulses.2. 3. Within the existing language of the above-mentioned statues the intent is that the Pen/Trap and Trace deals with Layer 2.7.4 Dest IP addr: 5. It contains information such as Source TCP port: 32892 Dest TCP port: 25 It also contains information about the data such as the checksum and the size of the data. They have been recently modified to better clarify their governance related to electronic communications. as they were born in an era when telecommunications was the primary medium of communication.C. but they focus on very different aspects of that communication. © 2005 Carnegie Mellon University Module 1: Cyber Law The Wiretap Act and Pen/Trap and Trace both deal with real-time communication.C. Layer 2: Data Link (17 bytes) Contains information such as the media access control (MAC) addresses of the source sending the packet and the next hop or destination.La ws th a t Affect Mon itor in g a n d Collection -3 Real-Time Communication: Content vs. It contains information such as Source IP addr: 1. the only thing constraining what is in here is whatever an application decides to put in here. Layer 4: Transport (20 bytes) Contains information such as source and destination ports. It is important to note that both of these statutes are not clearly written to apply to the flow of data over the Internet. 6. Layer 5+ This could be a random chunk of data.S. Layer 3: Network (20 bytes) Contains information such as the source and destination IP addresses.3. but there is little technical language embedded in the actual statutes themselves.8 It also contains information about the size of data carried. Layer 3 Header This is the IP packet inside the Ethernet packet.S. and 7 information. Below is a technical review of the Open System Interconnection (OSI) Model. Unlike all the other layers. Layer 4 Header This is a TCP packet inside the IP packet.

Content Data Link 1 Network Access Physical Figure 1: Mapping of DoD and OSI Models It is important to understand the fundamental difference between what the laws consider “content” and “non-content. Often the Department of Defense (DoD) Model or Internet Protocol Suite and the Open System Interconnection (OSI) Model are used to describe the same process. Below is a mapping of the two models. and signaling information) and Layer 5 (Layers 5 and above deal with the Data or Content). 14 CMU/SEI-2005-HB-001 . from a technical perspective the division occurs between Layer 4 (Layers 4 and below deal with routing. DoD Model OSI Model Application 7 6 5 4 3 2 1 4 Process Presentation } } Content Session 3 2 Host to Host Transport Internet Network Non.Layer 5+: Session/Presentation/Application This contains the data that the application requires (for example.” Although there is no bright line. this would be the data portion of an email message). addressing.

18 U. §§ 2510-22. or procures any other person to intercept or endeavor to intercept. or electronic communication Exceptions: 1) Provider Exception 2) Consent 3) Trespasser Exception © 2005 Carnegie Mellon University Module 1: Cyber Law 1.C. There are several exceptions enumerated in the statute. 18 U.1 Wiretap Act/Electronic Communications Privacy Act Generally speaking. etc.2. three have the greatest impact on the actions of system administrators and network security personnel.4.). Those actions are restricted by the Pen/Trap and Trace Statute. 1) Provider Exception. There are several exceptions. etc. URL scanners.. § 2511(2)(a)(i) It shall not be unlawful under this chapter for an operator of a switchboard. prohibits the interception of realtime electronic data communications (specifically the content). unless one of the statutory exceptions applies. §§ 2510-22 Prohibited Acts: intentionally intercepts. employee. Ethereal. whose facilities are used in the transmission of a wire or electronic CMU/SEI-2005-HB-001 15 . Etherpeek.e.). any wire. endeavors to intercept. endeavors to 18 USC 2511(1)(a) intercept. the Wiretap Act. which is discussed later.S.C. This law does not restrict the interception and examination of signaling information (information from the network and transport layers). oral. Of these. or agent of a provider of wire or electronic communication service. Layer 5+) of electronic data communication and any other device that looks at the content (Layer 7 firewalls. or an officer. oral. which are used to intercept and examine the content (i. or electronic communication. but only two exceptions that potentially affect incident response activities will be considered in this documentation. This law governs the usage of tools like sniffers (TCPDump.S.La ws th a t Affect Mon itor in g a n d Collection -4 Wiretap Act 18 U.S. The Wiretap Act applies to anyone who intentionally intercepts. or procures any other person to intercept or endeavor to intercept. any wire.C.

except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks. This allows for system administrators and network security personnel to conduct limited monitoring for the purpose of protecting the “rights or property” of the provider. or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service. a system administrator is using a URL scanner. If you have a correctly worded banner and an acceptable use policy that informs users of monitoring activities and how the information gathered from monitoring will be used.S.* 2) Consent. A clear nexus exists between this monitoring of “content” and the protection of the Web server. Given this consent to a written or bannered policy. 16 CMU/SEI-2005-HB-001 . § 2511(2)(c) …where such person is a party to the communication or one of the parties to the communication has given prior consent to such interception… Here is where bannering the network and written and signed acceptable use policies are critical. Here is a scenario that demonstrates an example of a clear nexus between a threat to the “rights or property” of a provider and what is being monitored: In support of Web services that are critical to his operations. the company can intercept and monitor Web surfing activities to ensure compliance with the policy. not just the connection-related information (Layers 3 and 4). It is permissible to monitor the content of electronic communications under this exception when there is a clear nexus between the threat and what is monitored.* Consent should never be taken as a general permission for system administrators to conduct ad hoc. random monitoring activities. in a vast majority of cases the consent burden will be satisfied. * This example is not intended to be legally authoritative but to frame a legal concept in terms that a system administrator will understand. He is examining the “contents” of the Web requests. 18 U. Here clear consent is required by the users of the system.C. Rather. monitoring activities related to consent should be part of a well-documented process that is explicitly enumerated in the obtained consent.communication. An example of this would be when a company institutes a policy that forbids nonbusiness-related Web surfing and states that monitoring of Web surfing will be conducted to ensure compliance. disclose. to intercept.

she also discovers that moments before the ftp alert. This practice was more important prior to the U.cybercrime. The definition of “protected computer” is found in 18 U. 12 * Fraud and Related Activity in Connection with Computers (see http://www. At this point. or. when it was unclear whether a “trespasser” enjoyed protection under the Wiretap Act. posting banners on network devices indicating that monitoring is occurring and how that monitoring will be used is still a best practice.3) Trespasser Exception. including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States… An example scenario of this exception would be as follows: A system administrator is on duty when she receives a remote syslog message from a Linux system that is running a SQL database indicating that the ftp service was started. Patriot Act.C. However. 1030(21):12 The term “protected computer” means a computer (A) exclusively for the use of a financial institution or the United States Government. Consultation with counsel should be sought to make an authoritative interpretation. This clearly presents a security threat to that system. through. in the case of a computer not exclusively for such use.html) This example is not intended to be legally authoritative but to frame a legal concept in terms that a system administrator will understand.S. or (B) which is used in interstate or foreign commerce or communication. Upon further inspection of the syslog files. there is an exception that specifically deals with trespassers. 18 U. With the Patriot Act.* It is also a best practice to post banners on network devices. § 2510(21) …a person who accesses a protected computer without authorization and thus has no reasonable expectation of privacy in any communication transmitted to. 17 CMU/SEI-2005-HB-001 . the system administrator runs a sniffer to begin monitoring and collecting the entire session originating from that system. in an effort to protect the network.S. There is an unauthorized root login and potentially an ftp session in progress.C. used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government.” Basically almost every public provider of electronic communication falls under this definition.S.gov/1030_new. or from the protected computer… This is a very broad exception because of the definition of a “protected computer. a “root” login occurred.

C. this statute.§ 3127(3) The term “pen register” means a device or process which records or decodes dialing. but such term does not include any device or process used by a provider or customer of a wire or electronic communication service for billing. however. or recording as an incident to billing. or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted. routing.S. Statutory definitions: • Pen Register .S. 18 U. routing. routing.2 Pen Registers and Trap and Trace Devices Whereas the Wiretap Act focuses on the content of electronic communications. except for certain purposes. Exception: 1) Provider Exception 2) Verification of Service 3) Consent © 2005 Carnegie Mellon University Module 1: Cyber Law 1. §§ 3121-27. for communications services provided by such provider or any device or process used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business.C.C. §§ 3121-27 Prohibited Acts: No person may install or use a pen register or 18 U. provided. that such information shall not include the contents of any communication. addressing.4.18 U.S.2. and signaling information reasonably likely to 18 CMU/SEI-2005-HB-001 . 3121(a) a trap and trace device without first obtaining a court order under section 3123 of this title or under the Foreign Intelligence Surveillance Act.C.§ 3127(4) The term "trap and trace device" means a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing.S. • Trap and Trace -18 U.C.La ws th a t Affect Mon itor in g a n d Collection -5 Pen/Trap and Trace Act 18 U. or signaling information for outgoing (Pen Registers) and incoming (Trap and Trace) wired or electronic communications. addressing. addressing.S. prohibits the installation of a device that records or decodes dialing.

C. For example.identify the source of a wire or electronic communication. Records of the number and size of the messages sent to and from an account will likely be collected. unlawful or abusive use of service. § 3121(b)(1) …relating to the operation.. Notice that there is an absence of intent-specific terms.. another provider furnishing service toward the completion of the wire communication. or to the protection of users of that service from abuse of service or unlawful use of service… The following is an example scenario for this exception: A network administrator runs Argus to monitor and analyze netflow traffic.C. that such information shall not include the contents of any communication.S. (2). 1) Provider Exception 18 U. and testing of a wire or electronic communication service or to the protection of the rights or property of such provider. Layers 3 and 4). Although this is a collection of signaling information.S.* 2) Verification of Service 18 U. however.S. 18 U. provided. or a user of that service. it is permitted under the Provider Exception because it is related to the maintenance and protection of the provider.S. A prohibited act under this statute. such as Netlog and Argus. and (3). some cellular telephone companies offer text messaging on a per use basis.e. maintenance. This statute governs the use of tools that are used to record and collect signaling information (i. The following is an example scenario for this exception: Companies that offer services on a per use basis maintain records of usage to ensure proper billing.* * This example is not intended to be legally authoritative but to frame a legal concept in terms that a system administrator will understand. § 3121(b)(2) …to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider. §§§ 3121(b)(1). from fraudulent. Within the definition one major point is clearly made: these devices (pen registers and trap and trace devices) deal with non-content information.C. 18 U. § 3121(a).C.. specifies that no person may install or use a pen register or a trap and trace device without first obtaining a court order… There are three exceptions to this statute. CMU/SEI-2005-HB-001 19 .

If you have a correctly worded banner and an acceptable use policy that informs users of monitoring activities and how the information gathered from monitoring will be used. Again. here is where bannering the network and written and signed acceptable use policies are critical. 20 CMU/SEI-2005-HB-001 .C.S.3) Consent 18 U. in most cases the consent burden will be satisfied. § 3121(b)(3) …where the consent of the user of that service has been obtained.

Consultation with legal counsel should be sought regarding whether your organization may be governed by these special types of privacy laws. §§ 2701-12 Content vs. §§ 2701-12. etc. session records. Like the Wiretap Act and the Pen/Trap and Trace Statute. deals with general protections for stored communications. There are several other statutes that may affect the level of protection.C.) Communications/Content (emails.3 Stored Wired and Electronic Communications Act The Stored Wired and Electronic Communication Act.La ws th a t Affect Mon itor in g a n d Collection -6 Stored Wire & Electronic Communication Act 18 U.S. connection logs. CMU/SEI-2005-HB-001 21 . voice mails. 18 U. access. electronic files on a file server.S.2. such as HIPAA and the Family Educational Rights and Privacy Act (FERPA). etc. and disclosure of stored electronic communication. the Stored Wired and Electronic Communication Act deals with content and non-content differently. Non-Content Focus: prohibited actions of a “public provider” in regards to accessing and voluntarily disclosing stored electronic communications Transactional Data (user logs.C.) © 2005 Carnegie Mellon University Module 1: Cyber Law 1.4.

S. This section does not prohibit the actions of private providers who may voluntarily disclose content (stored voice or email). §§ 2701-12 Prohibited Acts: a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service Disclosure of Content Exceptions: 1) 2) 3) 4) Consent Provider Exception Law Enforcement Emergency Situation Disclosure of Non-Content Exceptions: 1) Consent 2) Provider Exception 3) Emergency Situation Module 1: Cyber Law © 2005 Carnegie Mellon University Whereas the Wiretap and Pen/Trap and Trace statutes deal with real-time communications. This is a very complex statute that contains various restrictions. Whether your organization is a public provider or private provider should be determined by counsel. For the purpose at hand. There are more prohibited acts under this statute than addressed here.C.C. this statute deals with and provides general protection from access to and disclosure of stored electronic communications. and (2) a person or entity providing remote computing service to the public shall not knowingly divulge to any person or entity the contents of any communication which is carried or maintained on that service— (3) a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the 22 CMU/SEI-2005-HB-001 . only the following prohibited acts under the statute (18 U.La ws th a t Affect Mon itor in g a n d Collection -7 Stored Wire & Electronic Communication Act 18 U. and user information to government and non-government entities. § 2702) will be discussed: (1) a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service. but for our purpose we will look only at the prohibited acts of public providers regarding access and voluntary disclosure of stored electronic communications. transactional data. There are several sections to this statute.S.

§ 2702(b)(3) with the lawful consent of the originator or an addressee or intended recipient of such communication. if an application is scanning the contents of stored communications (email) on the mail server before sending it or prior to delivering it. preferably with both a written and signed policy and a banner. Given this consent. some companies prohibit the personal use of company email.).C. but is nevertheless worth noting. session records.). monitoring activities related to consent should be part of a well-documented process. Again. random monitoring activities.S. (2) transactional data (user logs. Products such as email virus scanners may very well fall under this definition.) and non-content (subscriber and transactional data related to account activities). Exceptions for Disclosure of Communications Content A person or entity may divulge the contents of a communication… 1) Consent 18 U. CMU/SEI-2005-HB-001 23 . 2) Provider Exception 18 U. and (3) subscriber information. There is some overlap between these two areas. there is a clear nexus between what is being monitored and the threat. This statute breaks down stored communication into three areas: (1) communications content (emails.S. consent from the users is required to allow for monitoring of email. etc. This breakdown has more to do with the mandatory disclosure section of this statute than with issues that system administrators and network security personnel will deal with.* Consent should never be taken as a general permission for system administrators to conduct ad hoc. The exceptions to this statute are broken into two categories: content (stored emails. To enforce this policy. compliance checks are possible. § 2702(b)(5) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service.* * This example is not intended to be legally authoritative but to frame a legal concept in terms that a system administrator will understand. etc. Rather. or the subscriber in the case of remote computing service… For example. connection logs.contents of communications covered by paragraph (1) or (2)) to any governmental entity. electronic files on a file server. electronic files. The following are exceptions that relate to the potential actions of system administrators and network security personnel. etc.C. voice mails.

C. in the examination of email for compliance with company policy. Exceptions for Disclosure of Non-Content Customer Records …may divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by subsection… 1) Consent 18 U. § 2702(c)(4) to a governmental entity.C. etc.C.C. § 2702(c)(3) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service… 3) Emergency Situations 18 U.S. § 2702(b)(6)(C) …if the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay… There are numerous scenarios in which this exception applies.C. The important issue here is that the discovery was incidental. It is often involved in suicide notes.S.S. §§ 2702(b)(6)(A)(i)and(ii) …if the contents were inadvertently obtained by the service provider and appear to pertain to the commission of a crime… For example. the result of a regular process. if the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information… There are numerous scenarios in which this exception applies.* 4) Emergency Situations 18 U. a document is discovered that contains questionable material.S. missing children. 24 CMU/SEI-2005-HB-001 . etc.3) Law Enforcement 18 U. missing children. It is often involved in suicide notes. § 2702(c)(2) with the lawful consent of the customer or subscriber… 2) Provider Exception 18 U.S.

of the United States Department of Justice." . Basically there are two types of computer records: those that “contain the writings of some person or persons and happen to be in electronic form” (i. offered in evidence to prove the truth of the matter asserted.5. computer-stored records) and those that “contain the CMU/SEI-2005-HB-001 25 .. “Hearsay is not admissible except as provided by these rules or by other rules prescribed by the Supreme Court pursuant to statutory authority or by Act of Congress.” Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.5 Legal Governance Related to Admissibility (Federal Rules of Evidence) 1. as well as other general topics dealing with electronic evidence [USDOJ 02]. is an excellent source for detailed information related to this topic. other than one made by the declarant while testifying at the trial or hearing.Computer-stored records Exception: Rule 803(6) “Records of regularly conducted activity” © 2005 Carnegie Mellon University Module 1: Cyber Law 1. Its importance to this topic relates to understanding the difference between computer-generated records and computer-stored records.Computer-generated records . offered in evidence to prove the truth of the matter asserted.” Further. published by the Computer Crime and Intellectual Property Section.1 Hearsay Hearsay is defined by the Federal Rule of Evidence 801(c) as “a statement. Criminal Division.e. according to Rule 802.La ws th a t Affect Ad m issibility of Collection -1 Federal Rules of Evidence (FRE) FRE 801(c) Hearsay: FRE 801(c): “a statement. other than one made by the declarant while testifying at the trial or hearing.

The outcomes from random. record. it is very likely that those logs will be admissible. First. unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness.1 Exceptions There are twenty-four enumerated exceptions to the Hearsay Rule. profession. However. two issues arise: authentication and reliability. made at or near the time by. and calling of every kind.13 It is important to understand the difference between these two types of computer records because computer-stored records can contain hearsay and computer-generated records. institution. ad hoc procedures will not fall under this exception. cannot. or data compilation. The term "business" as used in this paragraph includes business. if kept in the course of a regularly conducted business activity. events. a person with knowledge. 13 In some cases. record. CMU/SEI-2005-HB-001 26 . however. untouched by human hands” (i. records are both computer generated and computer stored. Second. if the computer records are computer-stored records that contain human statements. which IT professionals are more likely to deal with. 1. or data compilation. If a company logs everything as a practice. Rule 803(6). conditions. all as shown by the testimony of the custodian or other qualified witness. most federal courts have viewed all computer records as potentially containing hearsay.e. But this view is likely to change: As the federal courts develop a more nuanced appreciation of the distinctions to be made between different kinds of computer records. Rule 803(6) reads as follows: A memorandum. the government must show that those human statements are not inadmissible hearsay [Kerr 01]. In practice. or diagnoses. report. R. which will be explained in subsequent sections. for example. Evid. or from information transmitted by. report. whether or not conducted for profit.” Fed. association. “records of regularly conducted activity.” deals with issues pertinent to computer forensics. could contain both data entered by a person and data generated through calculations done by macros [Kerr 01]. This exception deals with “regularly conducted business activities. the government must establish the authenticity of all computer records by providing “evidence sufficient to support a finding that the matter in question is what its proponent claims. a question of admissibility may arise.output of computer programs.5. opinions. In dealing with computer-generated records. if only partial logging is done and during an incident additional logging is turned on. they are likely to see that the admission of computer records generally raises two distinct issues. 901(a).” This is why an IT policy is so critical regarding network monitoring and incident response. A spreadsheet. of acts. occupation.. and if it was the regular practice of that business activity to make the memorandum.1. in any form. The best example of this would be logging. computer-generated records).

An example of this is when a system administrator records the open connections on a system by running a netstat command and has that information saved on a diskette. CMU/SEI-2005-HB-001 27 . that he or she ran the command and generated the output that was then saved to the diskette. In addition.e.. say that the record is what it purports to be). All that is required is that the system administrator has first-hand knowledge.La ws th a t Affect Ad m issibility of Collection -2 Authentication FRE 901(a) states: The requirement of authentication or identification as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims. This same system administrator would need to authenticate this diskette at court by testifying that he or she ran the command that caused the output and. a person who acquired the record or caused the record to be generated can testify to the authenticity of the record (i. further.5. that the output was saved to that diskette. To authenticate a computer record.e. Federal Rule of Evidence 901(a) states the following: The requirement of authentication or identification as a condition precedent to admissibility is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims. This has more to do with chain of custody than expert testimony © 2005 Carnegie Mellon University Module 1: Cyber Law 1.. i.2 Authentication It is the burden of the person/party attempting to admit a computer-generated record to authenticate that record. It is not important or required that the system administrator have programming knowledge and understand how the netstat command works or to be able to provide analysis of the results of the netstat command. Having a process in place that will track collected information and ensure that it is preserved and not tampered with is also required. chain of custody plays a significant role in the process of authentication. It is not enough to just testify after the fact about what was collected.

An example of programs run in the normal course of business is RADIUS servers at an ISP supporting dial-up users.3 Reliability Another issue that IT personnel should be prepared to deal with is the reliability of the computer programs that generate the computer records. but the same information may become important in the event of an incident. a RADIUS server would be used to maintain logs of when users dial in to access the network. For example. as indicated in this excerpt from Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations: The courts have indicated that the government can overcome this challenge so long as “the government provides sufficient facts to warrant a finding that the records are trustworthy and the opposing party is afforded an opportunity to 28 CMU/SEI-2005-HB-001 . For the purpose of establishing reliability. When the information is used to support an incident.La ws th a t Affect Ad m issibility of Collection -3 Reliability: Computer Records/Processes Technical code analysis not required Verification of output Normal course of business © 2005 Carnegie Mellon University Module 1: Cyber Law 1. The more difficult situation in terms of reliability is when programs are used to collect information that are not run in the normal course of business.5. The ISP normally uses this information for billing purposes. The guidance from the courts is more complicated in this area. since it is where software that is used in the collection of information related to an incident may be challenged. computer programs are distinguished by whether they are or are not run in the normal course of business. RADIUS servers provide several functions related to an ISP’s business operations. This area is of particular interest to IT staff. the fact the program that generated the information was used in the normal course of business gives it reliability [Kerr 01].

CMU/SEI-2005-HB-001 29 .2d at 1038 [USDOJ 02]. Wiping. 896 F.2d at 547. R. How does this translate into working knowledge for IT staff? Module 2.inquire into the accuracy thereof[. Dioguardi. Duplication.]” United States v. 901(b)(9) (indicating that matters created according to a process or system can be authenticated with “[e]vidence describing a process or system used…and showing that the process or system produces an accurate result”)…the government may need to disclose “what operations the computer had been instructed to perform [as well as] the precise instruction that had been given” if the opposing party requests. 1990).11. 519 F. “File Systems. Evid. 428 F. at 893 n.2d. DeGeorgia. Compare Fed. 420 F. Briscoe.2d 1476. and Trusted Tools. 1494 (7th Cir. See also Liebert.” will describe some of the technical implications of dealing with reliability issues.

or photograph is ordinarily required.5. any printout or other output readable by sight. shown to reflect the data accurately. In fact. any printout or other output readable by sight.” that is. is an "original". on-site imaging must be done. Federal Rule of Evidence 1001(3) defines “original”: If data are stored in a computer or similar device. for information that otherwise could be represented in a chart or graph. which might be entire computers or large volumes of data. 30 CMU/SEI-2005-HB-001 .La ws th a t Affect Ad m issibility of Collection -4 Best Evidence: FRE 1001(3): If data is stored in a computer or similar device. in the 9th Circuit the courts require that during seizures of computers. is an “original”. shown to reflect the data accurately. the original writing. The courts have long recognized that at times it may be both impractical and unreasonable to require originals. a true bit by bit forensic image. leaving the original behind and taking only a “copy. © 2005 Carnegie Mellon University Module 1: Cyber Law 1. recording. or photograph. recording.4 The Best Evidence Rule The Best Evidence rule (Federal Rule of Evidence 1002) states that to prove the content of writing.

Wiretap Act / Pen/Trap and Trace Layer 5+ is the content portion of the packet Layers 2.6 Summary The five points above are the key concepts that should be understood from this module.Summary 1. Stored Communication Applied to public providers only 5. and 4 are the non-content portion of the packet 3. CMU/SEI-2005-HB-001 31 . 4th and 5th Amendments 5th Amendment—Cannot be compelled to provide private key if memorized 4th Amendment—Some protection outside of the home © 2005 Carnegie Mellon University Module 1: Cyber Law 1. Hearsay and Computer Records “Regular Course of Business” 4. 3. System administrator as the first responder to a security incident Authority to collect/admissibility of collection 2.

What is the important difference between computer-generated and computer-stored records in terms of cyber law? A. 32 CMU/SEI-2005-HB-001 . Q.Review Where is the technical difference between content and non-content in the OSI Model? What cyber law governs the usage of tools like sniffers? How many people are required for “consent” to be given? What aspect of electronic communication does the Pen/Trap and Trace Statue cover? What is the important difference between computergenerated and computer-stored records in terms of cyber law? © 2005 Carnegie Mellon University Module 1: Cyber Law 1. The non-content portion of real-time communications. Q. What aspect of electronic communication does the Pen/Trap and Trace Statute cover? A. Only one. Q. Between Layers 4 and 5. Where is the technical difference between content and non-content in the OSI Model? A. Computer-generated records contain no human statements and computer-stored records may contain human statements. Q.7 Review Q. What cyber law governs the usage of tools like sniffers? A. How many people are required to give “consent” under federal law? A. The Wiretap Act.

Most storage occurs on a computer’s internal hard drive and a basic understanding of hard drive design provides insight into the advantages and limitations of file systems. The first portion provides an overview of how the operating system (OS) interacts with physical storage media in creating and modifying files. Its intent is to provide the novice with a foundation and the knowledgeable with a baseline cursory review. Distribution is limited by the Software Engineering Institute to attendees.1 Introduction Module 2 consists of two distinct sections: Understanding File Systems.S. and Carnegie Mellon are registered in the U. A cursory look at the similarities between Windows and Linux is highlighted with a brief discussion of each OS’s characteristics.2 Module 2: Understanding File Systems and Building a First Responder Toolkit Forensics Guide to Incident Response for Technical Staff Module 2: Understanding File Systems and Building a First Responder Toolkit CERT® Training and Education Networked Systems Survivability Software Engineering Institute Carnegie Mellon University Pittsburgh. The first section. and Methodologies for Building a First Responder Toolkit. CMU/SEI-2005-HB-001 33 . is an introduction to technical concepts and terms important for later modules. Understanding File Systems. The last portion of this section addresses common forensic nomenclature. CERT Coordination Center. 2. Patent and Trademark Office This material is approved for public release. PA 15213-3890 © 2005 Carnegie Mellon University ® CERT.

repeatable.The second section outlines a best practice methodology for creating a trusted first responder tool kit that system and network administrators can use when responding to security events or system anomalies on live systems. 34 CMU/SEI-2005-HB-001 . The goal of this step-by-step. and welldocumented approach is to ensure all information is collected using sound forensic practices.

the hard drive. This section will provide a basic understanding of the most popular storage media. This overview of the Windows and Linux file systems will provide the foundation for the next two modules dealing with collection.In tr od u ction to F ile S ystem Ar ch itectu r e Hard disk drives File systems Windows UNIX/Linux Boot sequence © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2.2 File System Architecture File system design concepts and technical details fill up large volumes of textbooks. especially with regard to open-source OSs like Linux. Because of the large array of different file systems. so a detailed discussion on this topic is well beyond the scope of this introductory handbook. etc. CMU/SEI-2005-HB-001 35 . Additionally.) assists in the ability to notice anomalies – which is the first step toward incident detection. An understanding of what is expected in the normal use of a file system (where typically certain files are placed. you are encouraged to expand your knowledge outside the boundaries of this handbook for your particular networks. the vocabulary covered in the next few pages contributes to the technical staff’s communication with a professional cyber investigator. and how its design interacts with an OS’s file system. what default directories are named.

A combination of tracks is called a cylinder. A hard drive is like a record player. On a hard drive. the magnetic media are called platters. visit the following Web sites: • • http://www. not 1) S is the number of sectors For more details. you must be familiar with the physical organization of the hard disk drive. Bytes = C/D * H/C * S/T * 512 bytes C is the number of cylinders T is the number of tracks (track numbering starts with 0. A sector divides a track and typically holds 512 bytes.com/hard-disk.pcguide.howstuffworks. you can determine its maximum storage capacity.com/ref/hdd/ http://www. Hard drives consist of several platters with heads inserted between them that can read on one or both sides. and data is written on them by a read/write arm that has a head (analogous to a needle).htm 36 CMU/SEI-2005-HB-001 .A P h ysica l Look a t th e H a r d Dr ive Track Sector Arm Head Platter © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2.1 Physical Look at the Hard Drive To understand how file systems work on different OSs. The data on each platter is physically organized into tracks and sectors. A track is an individual concentric circle on the platter.2. By knowing the attributes of a hard disk drive. except that the hard drive can handle multiple stacks of records.

ReiserFS. High-level formatting is done when the OS is installed.2 Types of Hard Drive Formatting The two types of hard drive formatting are low and high level. FAT.Types of H a r d Dr ive F or m a ttin g Low level High level © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. High-level formatting creates the hard drive’s file system and allows the OS to store files by dividing them into smaller pieces and saving them in separate clusters (a grouping of sectors) on the disk. Low-level formatting is done by the hard drive vendor. including Microsoft (DOS. and NTFS) and Open Source Initiative (OSI) varieties (ext2. High-level formatting is file system specific. CMU/SEI-2005-HB-001 37 . These tracks and sectors form the physical blocks of storage of 512 bytes each. The OS uses this file system to keep track of the placement and sequence of each piece and to identify which sectors on the disk are free and available for new files. The computer can then assemble the different pieces when a file is viewed or executed. and XFS). Low-level formatting creates the track and sectors on the drive.2.

The forensic examiner has access to deleted files and to files contained in swap space. Swap space files are described later in this module.2. To discover where files are located and how they are distributed. Typically when a user deletes a file. It simply creates a flag that tells the OS that the sector can be reused.Wh y Un d er sta n d F ile S ystem s? Different OS. you need to know how to access and modify system settings when necessary. Knowing how to rebuild files from the file system is one of the most important skills of the forensic examiner. change. which is part of the virtual memory created on the hard drive by the OS.3 Importance of File Systems A file system has two basic functions that impact the computer’s performance: • • mapping physical spaces on the drive to logical addresses that comprise files read/write capability to open. and delete files Understanding how these functions work on different file systems is the foundation for responding to a security incident. although some OSs combine file systems. the file system does not permanently erase (wipe) the file from the hard drive. Most file systems are related directly to a particular OS. 38 CMU/SEI-2005-HB-001 . different file systems Poor documentation File location Hidden data File deletion © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. This is especially important because files can be hidden.

and so on. Clusters contain groups of sectors. on a disk that uses 512-byte sectors. and has gained significant momentum in server applications. All file systems used by Windows XP Professional organize hard disks based on cluster size. Usually the number of sectors to a cluster can be seen below for the Windows XP OS. and the new technology file system (NTFS). as previously described. By combining sectors into clusters. created (MAC) © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2.Win d ows F ile S tr u ctu r e Disk partitioning Cluster versus sector File allocation table (FAT) New technology file system (NTFS) Modified. which is determined by the number of sectors that the cluster contains. The following excerpt is from the Microsoft Windows XP Professional Resource Kit Documentation [Microsoft 04]. The partitions of logical drives are traditionally labeled by the file system as C. a 512-byte cluster contains one sector. The hard drive’s sectors. CMU/SEI-2005-HB-001 39 . the file system reduces the overhead to write and read files to the disk as it has to keep track of fewer unique storage areas. file allocation tables (FAT). Microsoft Windows is the predominate OS for user workstations.4 Understanding Windows File Structure On a physical hard disk. are further grouped by the Microsoft file system into clusters. For example. Dividing a physical drive into separate pieces is called partitioning. To understand Microsoft’s file structure. accessed. we must start by defining some storage terms: clusters. These clusters then form larger data groups to make a single larger addressable storage unit. A cluster (or allocation unit) is the smallest amount of disk space that can be allocated to hold a file. whereas a 4-KB cluster contains eight sectors. E. more then one logical section may exist. D.2.

which stands for modified.The two primary Windows file systems are FAT and NTFS. FAT32. Both will be described later. Date and time properties are appended to files as they are created. and NTFS volume and default cluster sizes. Examine a file’s MAC times for additional information about the history of the file. including a user’s interaction with it. Table 1 compares FAT16. Table 1: Volume Size 7 MB–16 MB 17 MB–32 MB 33 MB–64 MB 65 MB–128 MB 129 MB–256 MB 257 MB–512 MB 513 MB–1. and modified. 40 CMU/SEI-2005-HB-001 . and created. you can create and format larger volumes by using a particular file system. and NTFS each use different cluster sizes depending on the size of the volume. FAT16.024 MB 1. And when more clusters are supported. FAT32. the disk stores information more efficiently because unused space within a cluster cannot be used by other files. accessed. and each file system has a maximum number of clusters it can support.025 MB–2 GB 2 GB–4 GB 4 GB–8 GB 8 GB–16 GB 16 GB–32 GB 32 GB–2 terabytes Default Cluster Sizes for Volumes with Windows XP Professional File Systems FAT16 Cluster Size 2 KB 512 bytes 1 KB 2 KB 4 KB 8 KB 16 KB 32 KB 64 KB Not supported Not supported Not supported Not supported FAT32 Cluster Size Not supported Not supported 512 bytes 1 KB 2 KB 4 KB 4 KB 4 KB 4 KB 4 KB 8 KB 16 KB Not supported NTFS Cluster Size 512 bytes 512 bytes 512 bytes 512 bytes 512 bytes 512 bytes 1 KB 2 KB 4 KB 4 KB 4 KB 4 KB 4 KB A very helpful feature of Windows file systems is the details concerning MAC times. When the cluster size is smaller. accessed.

This table resides at the outermost portion of the disk with FAT32 offering a redundant copy in the event the primary suffers damage. read-only. removable flash memory. the FAT file system has been improved upon multiple times to take advantage of advances in computer technology. That system was based on the BASIC programming language and allowed programs and data to be stored on a floppy disk. The recovery of the redundant table is crucial if malicious activity makes the primary table unreadable. cluster number.2. since the advent of inexpensive. The FAT database table contains the filenames. also between digital devices. MAC times. CMU/SEI-2005-HB-001 41 . directory names. Today. and assorted attributes (hidden.) of disk’s files. and printers make use of FAT file system technology. many digital devices such as still and video cameras. etc. Since that time.5 FAT: File Allocation Table The following is from Microsoft’s Intellectual Property and Licensing Group introduction to FAT [Microsoft 03a]: The first FAT file system was developed by Microsoft in 1976. The FAT file system is now supported by a wide variety of OSs running on all sizes of computers. the FAT file system has become the ubiquitous format used for interchange of media between computers. and. scanners. audio recorders. In addition.F AT: F ile Alloca tion Ta ble Microsoft original Table Three versions © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. from servers to personal digital assistants. and to further refine and enrich the FAT file system itself. video game systems.

Figure 2 [Stoffregen 03] shows the overall logical layout of the FAT32 file system. Figure 2: Logical Layout of the FAT32 File System 42 CMU/SEI-2005-HB-001 .For a history of the FAT file system. with the allocation tables. visit the Microsoft Web site [Microsoft 03b]. primary and backup (labeled FAT #1 and #2 respectively). written directly behind the volume ID and boot sector (contained in the reserved sectors).

At format the MFT assigns logical cluster numbers (LCN) to the disk’s entire partition.6 NTFS: New Technology File System NTFS is currently the primary file system used by Windows XP. Each LCN is similarly linked to a virtual cluster number (VCN) which allows files to extend beyond across the free disk space area of the hard drive. which is the first file on the disk. It was first introduced with Windows NT. including system files. The Microsoft Windows XP Professional Resource Kit Documentation [Microsoft 04] is a comprehensive NTFS resource. A key advancement is the way files and directories are both stored on the disk with attributes that include security information. Records within the MFT are called meta-data and this contains information on all files located on the disk. The following excerpts are from the site.2.NTF S : New Tech n ology F ile S ystem Master file table (MFT) Access rights Encryption Larger volume sizes Multiple data streams © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. These LCNs allow the OS to read and write data on the disk. NTFS replaces the FAT and uses a master file table (MFT). CMU/SEI-2005-HB-001 43 .

Under FAT32. which is approximately 256 terabytes with a max individual file size of about 16 terabytes. EFS uses the key set for the user who is logged on to the local computer where the private key is stored. This has considerable impact on storage requirement for making forensic duplications and putting together fragmented files. When the file is saved.File and Folder Permissions On NTFS volumes you can set permissions on files and folders that specify which groups and users have access. NTFS file and folder permissions apply to users on the local computer and to users accessing the file or folder over the network. However. and what level of access is permitted. the system decrypts the file or folder when the user opens it. move. Users of EFS are issued a digital certificate with a public key and a private key pair. the maximum volume size was 32Gig with a 4 Gig file. copy. Larger Volume Size The maximum NTFS volume size as implemented in Windows XP Professional is 232 clusters minus 1 cluster. Users work with encrypted files and folders just as they do with any other files and folders. intruders who try to access the encrypted files or folders receive an "Access denied" message if they try to open. or rename the encrypted file or folder. Encryption The encrypting file system (EFS) uses symmetric key encryption in conjunction with public key technology to protect files and folders. Encryption ensures that only the authorized users and designated recovery agents of that file or folder can access it. File and folder permissions are maintained in discretionary access control lists. Encryption is transparent to any authorized users. Multiple Data Streams 44 CMU/SEI-2005-HB-001 . encryption is reapplied.

regardless of the file system used. CMU/SEI-2005-HB-001 45 . a graphics program can store a thumbnail image of bitmap in a named data stream within the NTFS file containing the image. Cluster Size As described previously. However. Every file has a main. A forensic examiner is particularly interested in these multiple data streams since they can hide data either intentionally or by coincidence. Applications can create additional named streams and access the streams by referring to their names. The application can then read the data by reading the same offsets in the read path. unnamed stream associated with it.A data stream is a sequence of bytes. NTFS supports additional named data streams in which each data stream is an alternate sequence of bytes as illustrated in the figure. The data stream is an additional data attribute of a file. For example. An application populates the stream by writing data at specific offsets within the stream. the cluster size has also significantly increased with NTFS. This feature permits related data to be managed as a single unit.

the registry becomes cluttered.asp 46 CMU/SEI-2005-HB-001 .1a http://www.4. a forensics examiner can discover hardware and software configuration.248 http://www.asp • RegClean v4.pcworld.com/downloads/file_description/0.pcworld.RSS. user preferences.00.com/downloads/file_description/0. Over time.RSS.fid. Windows artifact analysis is quickly becoming an important part of forensic discovery.4666. as more and more installation and removal program settings are saved. The following freeware utilities can delete these unused or old registry keys and clean up your computer: • Jv16 Power Tools v1.00.1. so you must understand how altering the registry settings can corrupt the system’s evidence collection and documentation. initial system settings.fid. and even logon and password information.7 Windows Registry The registry [Russinovich 97] has been the centralized configuration database for Windows and supported applications since Windows 95s’ introduction.Win d ows Registr y © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2.22765.2. From the Windows registry.

A significant advantage of NTFS is that it generates much less slack space.2. CJUS 5120. In this case. 2. http://www.8 Swap File.2. At the very least. long after deletions and rewrites.2 Slack Space As shown in the slide’s graphic. on older Windows 9X systems. which he may not know exists. S la ck.1 Swap File The swap file is a hidden system file that is used for virtual memory when there is not enough physical memory to run programs.2. CMU/SEI-2005-HB-001 47 . Slack.edu/cjus/Course_Pages/CJUS_5120 (2004) © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. the swap file is named pagefile.sys. The key for a forensic examiner is that a user might cover his tracks by wiping all files but this one. it is named win386. file information from previous use is still available. In Windows NT/XP systems.S wa p F ile.swp. Cybercrime and Digital Forensics.096 bytes per cluster (4K) 512 bytes per sector File is green Unallocated disk space University of North Texas. This swap file contains portions of all documents and other material a user produces while using the computer.8. a n d Un a lloca ted S pa ce Swap file RAM slack (blue) and file slack (red) 4. viewing these clusters can prove to a forensic examiner that a certain type of file might have existed. and Unallocated Space 2.unt. slack space results when file systems create a cluster (Windows) or block (Linux) but do not necessarily use the entire fixed length space that was allocated.8. Space on the hard drive is temporarily swapped with the RAM as programs are running.

The remaining files are in unallocated disk space.3 Unallocated Space When a user deletes a file. A forensic software tool can identify and restore these files.2.2.8. where clusters/blocks are not assigned but may contain data. but it remains on the system until it is overwritten. 48 CMU/SEI-2005-HB-001 . it is flagged as no longer needed.

This figure represents the structure of an inode: CMU/SEI-2005-HB-001 49 .9 Linux File System Basics The following excerpt is from a paper describing the Linux basic file system first published in the Proceedings of the First Dutch International Symposium on Linux (http://e2fsprogs.net/ext2intro.html): Basic File System Concepts Every Linux file system implements a basic set of common concepts derivated from the UNIX OS. Files are represented by inodes. access rights. pointers to data blocks.sourceforge.Lin u x Many different file systems i-nodes /proc © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. timestamps. the kernel code converts the current offset to a block number.2. size. and directories are simply files containing a list of entries and devices can be accessed by requesting I/O on special files. uses this number as an index in the block addresses table and reads or writes the physical block. The addresses of data blocks allocated to a file are stored in its inode. Each inode contains the description of the file: file type. When a user requests an I/O operation on the file. called an inode. Inodes Each file is represented by a structure. owners.

Each entry contains an inode number and a file name. a directory is a file containing a list of entries. Several names can be associated with an inode. When a process uses a pathname.Directories Directories are structured in a hierarchical tree. The inode contains a field containing the number associated with the file. where the inode number points to the inode. and in incrementing the links 50 CMU/SEI-2005-HB-001 . Links UNIX file systems implement the concept of link. the inode is loaded into memory and is used by subsequent requests. Actually. Each directory can contain files and subdirectories. Adding a link simply consists of creating a directory entry. After the name has been converted to an inode number. the kernel code searches in the directories to find the corresponding inode number. Directories are implemented as a special type of files.

it replaces the name of the link by its contents.e. Moreover. it is possible to create cross-file systems symbolic links. Another kind of link exists in most UNIX file systems. This type of link is called a hard link and can only be used within a single file system: it is impossible to create cross-file system hard links. The VFS is an indirection layer which handles the file oriented system calls and calls the necessary functions in the physical file system code to do the I/O. When an I/O request is made on a special file. When a link is deleted. Symbolic links are simply files which contain a filename. which identifies the device type. when one uses the rm command to remove a filename.e. and cause an overhead in the pathname to inode conversion because the kernel has to restart the name interpretation when it encounters a symbolic link. and restarts the pathname interpretation. which identifies the unit. CMU/SEI-2005-HB-001 51 . Since a symbolic link does not point to an inode. The former allows I/O operations in character mode while the later requires data to be written in block mode via the buffer cache functions. A device special file does not use any space on the file system. and a minor number. When the kernel encounters a symbolic link during a pathname to inode conversion. even on nonexistent files. the name of the target file. This indirection mechanism is frequently used in UNIX-like OSs to ease the integration and the use of several file system types. they use some disk space. devices can be accessed via special files. Symbolic links can point to any type of file. it is forwarded to a (pseudo) device driver. allocated for their inode and their data blocks.count in the inode. Symbolic links are very useful because they don't have the limitations associated to hard links. It is only an access point to the device driver. i. Device Special Files In UNIX-like OSs. hard links can only point on files: a directory hard link cannot be created to prevent the apparition of a cycle in the directory tree. However. the kernel decrements the links count and deallocates the inode if this count becomes zero. Two types of special files exist: character and block special files. A special file is referenced by a major number. i. The Virtual File System Principle The Linux kernel contains a virtual file system layer which is used during system calls acting on files.

Each entry in this table describes a file system type: it contains the name of the file system type and a pointer on a function called during the mount operation. the appropriate mount function is called. inodes. initializing its internal variables. and open files. and returning a 52 CMU/SEI-2005-HB-001 . When a file system is to be mounted. which is responsible for handling the structure dependent operations. The VFS knows about file system types supported in the kernel. This function is responsible for reading the superblock from the disk. the kernel calls a function contained in the VFS. File system code uses the buffer cache functions to request I/O on devices. This function handles the structure independent manipulations and redirects the call to a function contained in the physical file system code.When a process issues a file oriented system call. This interface is made up of a set of operations associated to three kinds of objects: file systems. This scheme is illustrated in this figure: The VFS Structure The VFS defines a set of functions that every file system has to implement. It uses a table defined during the kernel configuration.

The function pointers contained in the file system descriptors allow the VFS to access the file system internal routines. read.mounted file system descriptor to the VFS. the file descriptors contains pointer to functions which can only act on open files (e. Each descriptor contains information related to files in use and a set of operations provided by the physical file system code. While the inode descriptor contains pointers to functions that can be used to act on any file (e.. write). the VFS functions can use this descriptor to access the physical file system routines.g. unlink). and private data maintained by the physical file system code. pointers to functions provided by the physical file system kernel code. After the file system is mounted. Two other types of descriptors are used by the VFS: an inode descriptor and an open file descriptor. A mounted file system descriptor contains several kinds of data: information that is common to every file system type.g.. create. CMU/SEI-2005-HB-001 53 .

2. when the power is off. including the date and time.Boot S equ en ce © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. The CMOS uses a small battery to store system configuration information.10 Boot Sequence To ensure that forensic data is not contaminated or altered. The BIOS contains programs that include the instructions for input and output at the hardware level. If a system has a BIOS password usually this can be reset by removing the CMOS battery. Figure 3: Types of CMOS Batteries 54 CMU/SEI-2005-HB-001 . a first responder needs to understand how to open and set the suspicious computer’s CMOS (complementary metaloxide semiconductor) and BIOS (basic input/output system) to boot from a CDROM. Note the BIOS lives inside the CMOS Chip.

com/ref/mbsys/bios/boot.computerhope.com/bios. visit the following Web sites: • • • http://www. For more details. Therefore. Ctrl-Alt-Ins. Del. you must enable the BIOS to boot directly from a trusted floppy or CD drive. On most systems. Many vendors also have CMOS and BIOS information and instruction on their Web site.pcguide. the boot sequence and other start-up activities can modify important forensic data. during start-up.htm CMU/SEI-2005-HB-001 55 .howstuffworks.. the screen usually displays the appropriate key (i. This is an important tip in your pre-incident response preparation: know your systems and maintain a library of manuals and documentation.e.com/help/cmos. Read the suspicious computer’s instruction manual so that you access the BIOS set-up on start-up and prevent unnecessary frustration and possible modification of data.When a system is restarted.htm http://www.htm http://computer. or a function key) that brings up the BIOS menu.

including every 1 and 0. if another system administrator says “Copy the drive to make an image.” he probably needs a backup (just files). clarify the terms “copy” and “image. Inc [NTI 03]: Copy: Includes only file information.” For example. he probably needs a duplicate image (every 1 and 0 on the disk) for use as forensic evidence.Com m on ly Used Ter m s Copy Backup Image Mirror image Bit-stream copy Bit-stream image © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. bit-stream image: Exact replica of all sectors. The following definitions are from New Technologies. not slack space or unallocated space Backup: Files copied for future restoration Image: A file copy of a complete disk used for duplication or restoration Duplicate image. But if a forensic examiner asks the same question. and the swap file. bit-stream copy. This includes slack space. 56 CMU/SEI-2005-HB-001 .11 Commonly Used Terms When working with a forensic examiner.2. unallocated space.

including slack space.12 Forensically Sound Duplication Bit-by-bit copy or bit-stream “duplicate” image means capturing every 1 and 0 on the hard drive. unallocated space. Understanding bit-by-bit duplication and why it is forensically sound helps you to decide whether to make a copy (captures active files with the OS’s copy command) or an image (captures active and latent data) of a drive.2. CMU/SEI-2005-HB-001 57 . and the swap file.F or en sica lly S ou n d Du plica tion Bit-by-bit or mirror image Exact duplication of original disk © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2.

Du plica tion Tools diskcopy with /V switch dd command Freeware Commercial tools © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2.asp More on duplication tools will occur in Module 4. visit the following Web sites: • • http://www.pcworld.html http://www. 58 CMU/SEI-2005-HB-001 .sortIdx.cert.1.2.1503.pg.13 Duplication Tools For a comprehensive list of freeware security and file management tools.org/tech_tips/security_tools.00.1.com/downloads/browse/0.cat.

22961. For assorted freeware and commercial wipe file/disk products. There is a good chance that latent sections remain.com/downloads/file_description/0.1 http://www.asp Sure Delete v5.asp PGP http://web.com/downloads/file_description/0.7 http://www.14 Wiping Storage Devices An interesting article [MIT 03] demonstrates why disks should be wiped before they are sold.22393. donated.00. The only sure way to be reasonably certain is to wipe the storage device. or trashed.22920.fid. 0s.edu/network/pgp. Two MIT graduate students looked at 158 used disks and found an assortment of personal and financial information.2 http://www. visit the following Web sites: • • • • • Active@ Kill Disk Hard Drive Eraser v1.fid.pcworld.2. or crypto function Freeware and commercial tools © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2.Wipin g S tor a ge Devices Permanent Writes over media with all 1s.asp Eraser v5.000 credit card numbers.fid. data that is erased from a hard drive is not necessarily permanently removed.fid.mit.0.html CMU/SEI-2005-HB-001 59 . Recalling from the first part of this module.00.1 http://www.22963. including over 5.com/downloads/file_description/0.00.com/downloads/file_description/0.pcworld.00.pcworld. reused.pcworld.asp WipeDrive v3.

The second pass inscribes zeroes onto the surface (in hex 0x00) After the third iteration. The first pass inscribes ones over the drive surface (in hex: 0xFF). 60 CMU/SEI-2005-HB-001 .mil/isec/nispom. For more details.15 DoD Directive 5220-22M The United States Department of Defense (DoD) issued Directive 5220-22M as part of its National Industrial Security Program. Each iteration makes two write passes over the entire drive. The directive sets security standards for DoD contractors for sanitizing hard drives that contain less than top-secret data.dss. visit http://www.htm. a seventh pass writes the government-designated code “246” across the drive (in hex 0xF6) which is then followed by an eighth pass that inspects the drive with a read-verify review.DoD Dir ective 5220-22M DoD “Wipe Out” Operation Three iterations completely overwrite a hard drive six times.2. © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2.

S tor a ge Devices -1 Hard drive © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2.16 • Hard Drives When evidence is expected to be found on a hard drive. NTFS Extended Volume) • • • CMU/SEI-2005-HB-001 61 . not an entire physical drive. Is the evidence mission critical or can it be removed? Sometimes it is easier to hand over the original hard drive to the investigators. rather then perform the time consuming duplication process. Do you have additional sanitized (wiped) hard drives with the adequate storage capacity? It is good to have prepared hard drives on hand of the proper capacity in case duplication must occur before an investigation team arrives. Does the evidence span several physical hard drives? (Raid Array. Also a user’s computer might simply be seized as evidence.2. If the evidence is on a mission critical system it may not be possible unless a hot swappable back-up is available. these factors need to be addressed: Is the drive on the server or a user’s computer? The necessary evidence may only be on one partition.

17 Other Storage Devices There are many types of storage devices. Backup tape: host OS Floppy drive: FAT12 CD/DVD: ISO 9660 Compact Flash. USB thumb drive: usually FAT32 62 CMU/SEI-2005-HB-001 . many of which still use the FAT file system.S tor a ge Devices -2 Backup tapes Floppy drives CD/DVD USB connected devices © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. storage devices do not have to have the same file system as the OS it interacts with. As shown below.2.

This is important for forensic examiners as they examine machines to determine when activities took place. you’ll want to select tools that create output-specific information and then test it to determine system dependencies so that it can be statically compiled (best case) and well documented.F ir st Respon d er Toolkit Understand program dependencies Select tools Test and verify tools Understand the benefits to using this methodology © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. CMU/SEI-2005-HB-001 63 .3 First Responder Toolkit It is important to understand that network and security professionals should have trusted tool kits prepared. as a first responder. it should be considered untrustworthy until proven otherwise. When a program is executed. it normally uses shared libraries for routine system commands and changes those common files’ access times. A trusted tool should have the needed libraries statically compiled when possible. It is this issue that prompts the creation of a trusted tool. When responding to a system whose trust state cannot be known. Also.

However.3. Dynamically-Linked Tools The significant difference between a statically-linked executable and a dynamically-linked executable is that a statically-linked executable is self-contained: the program contains all the code necessary to successfully run as a standalone program. An example of a dynamically-linked executable that could be used by a forensic examiner is the Windows native netstat. Statically-linked executables or tools are forensically better because they limit the impact (footprint) on the suspicious computer. a dynamically-linked executable uses loaded libraries within the computer’s memory to run. Figure 4: The ldd Command 64 CMU/SEI-2005-HB-001 . .1 Statically. Dyn a m ica lly-Lin ked Tools © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2.exe command.vs.vs. This executable uses multiple dynamic-link libraries (DLLs) in order to properly execute.S ta tica lly.

An executable then uses this information to call functions and access data stored in the library. a link is established between the executable and the required libraries. and updates the executable with the library’s location. The loader searches the hard disk for the required libraries (generally located in the Windows System32 folder). One disadvantage of dynamic linking is that the executables depend on the separately stored libraries in order to function properly. loads them into an unpredictable location within memory. At loadtime. This further explains why including the necessary DLLs for an executable on a separate disk will not ensure that the binary will use the DLLs on the separate disk. the OS’s loader loads the executable and the libraries separately. the executable could malfunction and cause unreliable and false output [Wikipedia 04]. renamed. or replaced with an incompatible or malicious version. This type of dynamic linking is called loadtime linking and is used by most OSs including Windows and Linux.In dynamic linking. moved. If the library is deleted. Within a binary. CMU/SEI-2005-HB-001 65 . a table called an import directory or a variable-length array of imports contains the name of each required DLLs. It also explains why the first responder should never trust or use the native commands on the suspicious computer for collecting volatile data.

include the list of files on the response disk so that in the event that it becomes necessary. Therefore. Because Windows code is closed and not publicly available it is not possible to statically compile Windows native executables.3. this list can be provided and be used to identify what changes to the system were made by the first responder. Figure 5: Using Filemon to Identify Dependencies 66 CMU/SEI-2005-HB-001 .P r oblem s With Dyn a m ica lly-Lin ked E xecu ta bles © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. With this information. use the Filemon utility.2 Problems with Dynamically-Linked Executables One issue in creating a first responder toolkit is the problem with forensic tool dependencies and DLLs in Windows. it is possible to at least note what impact (or footprint) the program will have on the system. at a minimum it is important to define what DLLs and files are affected when executing a Windows program. Once the dependencies have been identified. To determine which files or shared libraries each forensic tool accesses.

This is the preferred type of tool because its output is more trustworthy. CMU/SEI-2005-HB-001 67 . Since most of the operating systems are open source it is possible to statically build binaries that will not rely on shared libraries.The issue with DLLs is not as pressing in the UNIX world.

It provides guidelines and reproducible procedures for future toolkit verification.3. 2. In either case. command. In most computer crime cases. A working knowledge of the tools in your toolkit will aid your collection efforts and help you understand your collection limitations and capabilities. being prepared beforehand is crucial. you do not want to waste time putting together a set of tools at the last minute that you think might do the job. Document the testbed 3. the first responder will be the system administrator or a member of law enforcement. create a forensic tool testbed document the testbed document and set up the forensic tools test the tools As a first responder.Meth od ology for Cr ea tin g a F ir st Respon d er Toolkit 1. Create the forensic tool testbed 2. Document and set up forensic tools 4. 4.3 Methodology for a Creating First Responder Toolkit Before a security incident occurs and before any evidence collection is done. the first responder must develop a toolkit. 3. or application you use in the field. Test the tools © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. The methodology for creating a first responder toolkit includes of the following four procedures: 1. As you create your toolkit. you will become more familiar with forensic collection tools and native commands and their proposed functionality. 68 CMU/SEI-2005-HB-001 . you should follow this methodology to ensure the integrity and reliability of each collection tool.

free of artifacts from any previous use that could compromise its integrity and reliability.3.htm CMU/SEI-2005-HB-001 69 . The following freeware is available. you may want to create two different testbed machines.1 Create a Forensic Tool Testbed The first step in creating a first responder toolkit is to create a trusted forensic computer or testbed. Identify the OS Type Choose an OS type. VMware allows you to install multiple OSs on a single machine. Sanitize the Testbed Completely sanitize the machine so that you can start with a fresh slate.com/index.3. ensure that the forensic tool testbed is a trusted resource. The same holds true for Linux. it makes sense to use a Windows forensic tool testbed.htm#/bcwipe3. If the enterprise has Windows and Linux machines. • BCWipe (Windows) http://www. But before any tool is tested. It should be a fresh install.Cr ea te a F or en sic Tool Testbed © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. This includes a complete (forensic) wipe of the hard drive(s) to remove any data or artifacts left from the machine’s previous use. If the enterprise you respond to is primarily Windows based. one for each type of OS you may be dealing with. This testbed will be used to test the execution and functionality of each forensic collection tool you consider using. The testbed should be comparable to the systems that you are responding to. However.jetico.

sourceforge. perform a cryptographic hash of the installed DLLs on the system while off-line. then you must verify the hashes before installing the OS. you may want to identify all shared libraries on the system and compute a hash of all the shared libraries. Hash the DLLs For Windows testbed machines. Again. rehash the shared libraries after running your tools and then compare checksums. 70 CMU/SEI-2005-HB-001 . This is just using best practices and you should treat this testbed machine like any other machine in your IT and network infrastructure. the testbed system has a minimal set of software applications installed. but it’s better for the tool testbed system to replicate a critical system within your IT and network infrastructure so that you know how to respond to machines in that similar state or that have critical services running. After you run and test your forensic tools. you can rehash and compare before and after checksums to determine if any DLLs have been modified or accessed. Update and Patch Bring the system up to date. Figure 6: Performing a Cryptographic Hash of Installed DLLs For Linux testbed machines. designated CD-ROMs for each application and OS)..e. Any necessary patches or hot fixes should be applied to the machine. Again these updates and patches must be applied offline and from a designated disk with known hashes. Typically. This ‘patch CD’ should become a documented item in your tool kit.• Wipe (Linux) http://wipe.g..net/ Install Software Install the OS and necessary software applications from trusted resources (i. This produces checksums for the DLLs at their initial known safe state. If you have downloaded open source OSs (e. Linux variants).

Tripwire or LANguard can identify changes to MAC times. Later. visit the following Web sites: • • • http://www.gfi.com/ntw2k/utilities.tripwire.org/downloads/index.com/languard/ CMU/SEI-2005-HB-001 71 .Install a File Integrity Monitor Using a file integrity monitor on the testbed system is a best practice.sysinternals.shtml http://www. during tool tests.php http://www. File integrity monitors like Tripwire or LANguard System Integrity Monitor (SIM) should be installed on the forensic testbed to monitor the integrity of the testbed computer’s file system. Another file system utility called Filemon monitors which files each forensic tool uses or references. For more details.

.e. If you respond to a security incident and the integrity and reliability of your tools and collection procedures are questioned. The forensic tool testbed profile includes the following information: • • • • • • type of OS version of OS (i.2 Document the Testbed Documenting the testbed computer(s) is as important as creating them. an independent expert could use your documentation to easily reproduce the situation.3.3.Docu m en t th e Testbed © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. kernel) number and types of applications number and types of patches and hot fixes types of hardware installed MD5 hash of DLLs/shared libraries 72 CMU/SEI-2005-HB-001 .

Document the Tools Acquisition: Document how and why you acquired each tool. CMU/SEI-2005-HB-001 73 . Identify whether you acquired the tool by downloading. Dependencies and System Affects: Tool dependencies and system affects are probably the two most important tool characteristics to identify and document. and how you use the tool (command line vs. Document how you verified the integrity of the tool while acquiring it (i. You can discover a preliminary set of tool dependencies and system affects by reading the tool’s description or read me file.3 Document and Set Up the Forensic Tools Creating a profile of forensic tools is as important as creating a profile for the testbed. and dependencies and system affects. you become familiar with each tool and understand how you can use or tailor the tool to your incident response needs. For each tool that you identify to test.3. developing. volatile information that can be collected. verified the MD5 hash for downloaded tools. By creating a profile of each tool you plan to test. Functionality: Document as many of the following as apply: the expected generated output. but you will not discover the complete set until you test the tool.. Description: Document details including—but not limited to—what OS the tool is compatible with. or purchasing it. description. how the tool operates. functionality. GUI). or testing/validation done for developed/purchased tools).3. command-line switches or syntax.e. document the following characteristics: acquisition.Docu m en t F or en sic Tool S etu p Document Acquisition Description Functionality Dependencies and system affects Create a response disk © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2.

74 CMU/SEI-2005-HB-001 . you will recognize what kind of footprint the tool leaves on a system and can use that information as follows. (For simplicity. if you do not have administrative or root credentials. They are crucial and could limit your forensic collection efforts. As you document file dependencies like shared libraries. the final step in this first responder toolkit methodology.”) Which one you choose depends upon space requirements. or CD-ROM. and registry keys. The first responder identifies these required files and shared libraries during tool testing. Any other items that are required for the tool to run (i. The output should never be saved to the live suspicious computer. you cannot recompile but you can rank tools based on which has the fewest dependencies and system affects. DLLs. Shared libraries required for Linux commands should be copied to the response disk and the executable associated with the command should be statically compiled to ensure that the command does not reference the system as it is executed. thumb drive. Create a Response Disk Tools should reside on a separate storage media device like a floppy disk. Determine how you will save the forensic tool output. and other files) should be copied onto the response disk. Systems will generally have a USB port.Tool dependencies include required access levels and the use of shared libraries. but it is a good idea to have your forensic tools on multiple storage devices. You can save the output to the response disk or to another system on the network.e. we assume disk and refer to the “response disk. CD-ROM drive. or floppy drive. and what you think you will have access to when responding to an incident. how many tools you have. • • For Linux systems. DLLs. Therefore.. you can statically recompile the command so that it will no longer reference the system. Label your response disk properly with the following minimum information: • • • time and date name of person who created and verified the response disk if the response disk contains any output files or collected evidence The National Institute of Justice (NIJ) provides guidelines for documenting computer evidence [NIJ 04]. For Windows systems. other executables. you probably will not want to use tools that require that access.

the first responder can examine tool performance. and its output window can be saved to a file for offline viewing. seeing how applications use the files and DLLs. CMU/SEI-2005-HB-001 75 .4 Test the Tools Now that you have identified and profiled forensic tools. you are ready to test each tool on the forensic testbed. Utilities like Regmon. They allow the first responder to monitor and catch changes or references to the forensic testbed system caused by the forensic tools and provide output that can be used to document the tools. functionality.3. It begins monitoring when you start it.Test th e Tools Install tool analysis utilities Perform a static analysis Perform a dynamic analysis © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. Its advanced capabilities make it a powerful tool for exploring the way Windows works. Linux): Open and configure Filemon. unzip. Filemon (Windows. and its status column displays the outcome. It has full search capability that can be filtered if you experience information overload [Russinovich 04d]. or delete occurs.3. Install Tool Analysis Utilities Acquire. LANguard or Tripwire determine each tool’s impact on the system. ListDLLs. or tracking down problems in system or application file configurations. Filemon monitors and displays file system activity on a system in real time. Dependency. Filemon. and install the following utilities on the testbed system. write. During testing. read. Filemon's time-stamping feature shows you precisely when every open. and tool generated output and—most importantly—determine what affects the tool may have on a typical system.

visit http://www. These utilities will prove to be useful in seeing if the tools change the MAC times of any files in the file system. Dependency Walker is a free utility that builds a hierarchical tree diagram of all dependent modules.dependencywalker. Another view displays the minimum set of required files and details about each file. ListDLLs will flag loaded DLLs that have different version numbers than their corresponding on-disk files (which occurs when the file is updated after a program loads the DLL). With Regmon. For each module. you see which values and keys are changed and how [Russinovich 00].com.exe. Regmon monitors the registry and shows you—in real time—which applications are accessing your registry. Dependency (Windows): Run depends. you might be able to see which registry values and keys changed. ListDLLs shows you the full path names of loaded DLL modules. If the tool that you are testing does in fact touch the file system during your testing it is extremely important to document this and see if the changes were significant or malicious. For more details. With static registry tools. which keys the tools are accessing. Figure 7: A Regmon Listing ListDLLs (Windows): Run ListDDLs. and can tell you which DLLs were relocated because they are not loaded at their base address [Russinovich 00].Regmon (Windows): Open and configure Regmon. 76 CMU/SEI-2005-HB-001 . and the registry data that they are reading and writing. LANguard (Windows) and Tripwire (Linux): Set up. it lists exported functions and functions called by other modules. and run Tripwire or LANguard SIM. configure. LANguard and Tripwire monitor file system integrity. In addition.

and reliability of each tool is gained. within the binary using the Linux or Windows command strings. supporting commands. command-line arguments. you review each tool’s documentation and file types.bindview. as shown below. stdout. Linux): Exetype is a command-line utility available in the Windows Resource Kit. If the programmer was verbose. a better understanding of the functionality. Use the -w option to start a strace session in a new window.com/Support/RAZOR/Utilities/Windows/. strings -a <filename> | less CMU/SEI-2005-HB-001 77 . For more details. Display Legible Strings Display legible strings. and—if you are lucky—complete pathnames of the source code used to build the executable. It is used to find the executable type and determine the OS and processor required to run the program file. Use the –o option to send output to a file. It is meant to be used like the strace (or truss) on Linux. The strings command in Linux displays all humanly legible strings longer than four characters.exe (Windows): Strace executes a program. and view binary data (the executable) using a hex editor. Strace for Windows systems is still in a Beta status and should be used with caution. these strings can reveal function names. This verifies that the correct file type is reflected in the downloaded tool’s filename extension. This is useful for sessions that take a long time to complete.exe (Windows. In a static analysis. Always use the -a flag. and proposed system affects. Determine the File Type Determine the file type using the Linux file command or the Windows Resource Kit exetype command. Perform a Static Analysis of the Tools Static and dynamic analyses allow you to disprove an initial assumption that each forensic tool is malicious. to process the entire file.Strace. and optionally the children of the program. Look at the keywords. and variables to understand the tool’s purpose [Mandia 01]. variable names. In the process. perform string searches. It is useful when dealing with an unknown program. trustworthiness. defined strings. Exetype. such as ASCII and Unicode strings. visit http://www. Tool Documentation Review the tool’s documentation to determine its functionality.

For Dependency. or other devices. Perform a Dynamic Analysis of the Tools In a dynamic analysis.. For outside references. DLL/Shared Library Dependencies The following utilities identify which files each forensic file references. use the Open button to navigate to and open your tool. Dependency then displays all DLLs required for the tool to run.e. use any freeware hex editor. disk. Windows: Use ListDLLs or Dependency to determine DLL dependencies. CD-ROM or thumb drive). set the utility’s filters to look for the filename of the forensic tool’s executable only so that references by all other tools and application are ignored. The rogue code’s names may provide clues about the function’s purpose. which can be difficult to read [Mandia 01]. Review the Filemon and Regmon filter displays to see if your tool references any part of the file system outside of its own location (i. Exetype is a power tool for extracting information about a running executable. you use traces to determine file access and dependencies. strace tracks it. which allows you to rank each tool’s impact on a system and understand the expected side affects of each tool. document the target and the time it was referenced. you can determine the total system impact of each tool. or allocates memory. performs IO with network. Document and save all results. For Linux systems.View Binary Data View binary data to uncover abnormal function names. File System and Registry Key References Use Filemon and Regmon to trace each tool’s file system and registry key references during execution. 78 CMU/SEI-2005-HB-001 . Whenever an application or tool writes to the screen. Consider performing string searches on the outputted file. use the GNU debugger gbd with info variables as shown below. Before you begin. and then document the output. gbd <filename> info variable For Windows systems. Exetype is a Windows Resource Kit utility and a Linux command. Kernel Access Strace is a Linux utility that wiretaps the system and reports every access of kernel resources. In the process.

Create a First Responder Toolkit Logbook After testing.For ListDLLs. Linux: Use the ldd command to determine shared library dependencies. During the actual data collection described in Modules 3 and 4. run your forensic tool first and then run ListDLLs to display the loaded DLLs. you will refer to this book to determine which tools best fit your system and situation. CMU/SEI-2005-HB-001 79 . create a folder or file that includes the following for each forensic tool: • • • • the profile documentation static analysis results dynamic analysis results This logbook should be kept handy. The ldd command prints the shared libraries required by each program or command specified on the command line.

3.5 Benefits of Proper Tool Testing If you follow these best practices for testing tools before you use them.3. you can significantly reduce the time it takes to respond to a security incident while establishing the reliability of each tool’s output for use in a forensic investigation or court of law.Ben efits of P r oper Tool Testin g Incident Explaining to law enforcement forensic investigations Court witness © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. 80 CMU/SEI-2005-HB-001 .

The RCMP hdl was selected for the hard disk write block category. CFTT Methodology Overview The testing methodology developed by NIST is functionality driven. The activities of forensic investigations are separated into discrete functions or categories. DoD. Final test reports are posted to a Web site maintained by NIJ. however the steering committee makes the decision about which tools to test.3. Computer Forensic Tool Testing Program The Computer Forensics Tools Verification project provides a measure of assurance that the tools used in the investigations of computer-related crimes produce valid results. CMU/SEI-2005-HB-001 81 . Currently the steering selects tool categories for investigation and tools within a category for actual testing by CFTT staff. string searching. and SafeBack. such as hard disk write protection. A vendor may request testing of a tool.cftt.NIS T Meth od ology NIST: National Institute of Standards and Technology.gov/ © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. such as the National Software Reference Library (NSRL). Currently we have developed a methodology for disk imaging tools and are developing a methodology for software hard disk write blocking tools. The CFTT testing process is directed by a steering committee composed of representatives of the law enforcement community. Included are the FBI. Under the disk imaging category the tools selected initially for testing were: Linux dd. It also supports other projects in the National Institute of Justice’s overall computer forensics research program. A test methodology is then developed for each category. Information Technology Laboratory. NIST/OLES and other agencies. etc.3.6 NIST Methodology Before we developed our methodology for creating a first responder toolkit. The following is an excerpt. http://www. we examined the National Institute of Standards and Technology (NIST) Computer Forensics Tool Testing Program [NIST 03]. Deleted file recovery tools will be the next category for development of a test methodology.nist. disk imaging. NIJ (representing state and local agencies).

A test environment is designed for the tool category. 3. Vendor reviews test report. Specification development process After a tool category and at least one tool is selected by the steering committee the development process is as follows: 1. the test process is as follows: 1. Relevant comments and feedback are incorporated into the specification. assertions and test cases document (called the tool category specification). 9. 2. Tool test process After a category specification has been developed and a tool selected. NIST executes tests. 5. Steering Committee reviews test report. 8. NIST selects relevant test cases depending on features supported by the tool. NIJ posts test report to Web. 6. 82 CMU/SEI-2005-HB-001 . 3. 2. NIST acquires the tool to be tested. 7. 4. The tool category specification is posted to the Web for peer review by members of the computer forensics community and for public comment by other interested parties. 2. NIST and law enforcement staff develops a requirements.1. NIST produces test report. 10. NIST reviews the tool documentation. 4. NIST develops test strategy. NIST posts support software to Web.

You should understand that files leave traces when deleted and know that those file artifacts are hidden in swap and slack space. your evidence will be challenged. you take administrative action against an individual or submit evidence to a court of law. Together these provide for a better understanding of the fragile nature of forensic evidence. Building a first responder toolkit using this module’s methodology provides you with a baseline understanding of the different systems in the work environment.Summary Importance of understanding physical hard drive Different file systems Duplicating terms Different media Wiping data First responder toolkits © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2.4 Summary From this module you have been exposed to some basic hard drive geometry. defined process. Without a repeatable. based on collected evidence. Establishing and using this repeatable. and an overview of how the hard drive works with an OS’s file system to store data. CMU/SEI-2005-HB-001 83 . Investing the time and effort in creating a first responder toolkit pays off when an incident occurs and the scramble to collect evidence ensues. defined collection process is essential if.

High-level formatting establishes the OS’s file system.Review 1. 2. False. shortcuts). wiping a file permanently remove all traces. 4. and Linux installs the file system on the hard drive. 2. multiple data streams. True. 6. unallocated space. Only a bit-by-bit or duplicate image provides all binary data from a disk. Windows artifacts and alternate data streams in the NTFS hold keys to a file’s existence even after a DoD standard wipe. 3. 3. (True/False) Statically-linked tools are preferred over dynamically-linked tools. Name two locations from where an investigator might recover a file or file information after deletion. (True/False) A basic copy or image of a drive contains all of the file information present. Their exact size is determined by the Windows version and size of the hard drive. Using the basic copy command or imaging only reproduces the allocated space.e. 6. 5. Clusters are a fixed size with incorporate several sectors. Low-level formatting occurs at the factory and installs the sectors and tracks on the disk. temp files. False. 84 CMU/SEI-2005-HB-001 . windows artifacts (i. (True/False) Low-level formatting installs Windows. (True/False) Clusters are sized to specifically fit a file. © 2005 Carnegie Mellon University Module 2: Understanding File Systems and Building a First Responder Toolkit 2. slack space. registry. 4. (True/False) With Windows NTFS. Statically-linked is preferred because all file dependencies are trusted and not accessed from the suspicious computer’s hard drive. Review False.5 1.. Swap space (virtual memory). 5. False.

But the shutdown precludes the collection of volatile data. To collect volatile data. Patent and Trademark Office This material is approved for public release.S. PA 15213-3890 © 2005 Carnegie Mellon University ® CERT. developing. and preserve sensitive data that is left on a system’s hard drive(s). CERT Coordination Center. tools. techniques. After shutdown.1 Introduction This module briefly reviews some best practices. Distribution is limited by the Software Engineering Institute to attendees. computer forensics has focused on researching. the first responder needs a running computer system. It also explains the importance of collecting volatile data before it is lost or changed on the suspicious computer. persistent data on the computer’s hard drive or other persistent storage media devices is collected. and others) generally react to a computer security incident by properly shutting down and securing the suspicious computer. and Carnegie Mellon are registered in the U. critical sources of information that are lost when the computer is rebooted or shut down. store. Traditionally. and methodologies to collect.3 Module 3: Collecting Volatile Data Forensics Guide to Incident Response for Technical Staff Module 3: Collecting Volatile Data CERT® Training and Education Networked Systems Survivability Software Engineering Institute Carnegie Mellon University Pittsburgh. CMU/SEI-2005-HB-001 85 . and tools for collecting volatile data from live Windows and Linux systems. and implementing proper techniques. First responders (system and network administrators. law enforcement officers. 3.

86 CMU/SEI-2005-HB-001 . There are many open source tools that allow the first responder to pull volatile information from a live system.g. VBScript. Little attention has been given to developing a portable. However. these tools and techniques focus almost exclusively on extracting and analyzing nonvolatile (persistent) data from hard drives.. batch files.. Sysinternals’ PsList generates details about processes that are currently running). First responders need to identify and gather a set of open source tools (including native commands) that collect the range of volatile data. all-in-one application for collecting volatile data from a live machine. Perl. safe. law enforcement and information security professionals have invested significant resources into developing forensic data retrieval tools like Guidance Software’s EnCase. and shell scripts) to execute all tools and commands and automate the data collection. Then they can use scripting languages (e.g. Access Data’s FTK. and NTI’s Law Enforcement Suite. However. not the complete set of volatile data (e. most open source tools are specifically designed to collect portions of volatile data.In recent years.

what it is. the different types. The bulk of this module introduces the methodology and specific tools for collecting volatile data.2 Objectives This module focuses on the critical role of the first responder in collecting volatile data from a live suspicious machine during a security incident. the root cause of the incident.. and why it should be collected) and the tools used to collect it should give the first responder a working knowledge of the subject. the order of volatility. It includes steps for safely collecting volatile data so that you can determine the current state of the computer. Discussions of volatile data characteristics (e. and what to do next. Common first responder mistakes are also highlighted so that you do not hamstring your efforts. CMU/SEI-2005-HB-001 87 .Objectives Role of a first responder What volatile data is Order of volatility Why volatile data is important to collect First responder mistakes Types of volatile data Volatile data collection methodology © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3.g.

persistent.Role of a F ir st Respon d er Essentially the first person notified and reacting to the security incident Responsibilities: • Determine the severity of the incident • Collect as much information about the incident as possible • Document all findings • Share this collected information to determine the root cause © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. He will generally be the first person notified and the first person to react. the first responder is a system or network administrator. but by definition it is whoever is assigned to handle security incidents and determine their root causes. The first responder should be prepared and his actions should be planned. 88 CMU/SEI-2005-HB-001 . He should have a first responder toolkit and a predetermined incident response plan to follow regardless of the type of data (volatile. or both) being collected. Deliberate – rash or hurried actions could damage potential evidence.3 Role of a First Responder The first responder to a security incident has a unique and important position to play. In most cases.

If you create MD5 checksums of the hard drive before and after using a utility like DD. RAM) and is lost if the machine loses its power. One such tool is dd. preventing contamination of the suspicious computer is an ongoing issue. persistent data should be collected when it is clear that evidence related to the computer security incident resides in the persistent storage areas.Wh a t is Vola tile Da ta ? Definition: Any data stored in system memory that will be lost when the machine loses power or is shut down Location: Registers. that has the capability to create a bit-by-bit copy of the suspicious computer’s hard drive.g. or rebooted. Garner Jr. contamination is harder to control because tools and commands may change CMU/SEI-2005-HB-001 89 . connected USB drives. the first response to a computer security incident should be to collect volatile data and analyze the results to determine a next course of action. a free imaging utility developed by George M. system registers.4 What is Volatile Data? Volatile data is stored in system memory (e. For persistent data collection.exe. if you notice suspicious user activity or if you have been alerted that a rule or policy has been violated such as firewall or IDS alert.g. and RAM (this module focuses on RAM) © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. flash cards. tools. cache. For both collection strategies. and methodologies. Generally. In any case. Volatile data collection focuses on collecting data (primarily from RAM) that could be lost if the computer is shut down or rebooted.. contamination can be controlled by current techniques. you can compare them and authenticate the copy. is shut down. Volatile data should be collected if you are not sure why a computer is acting abnormally. Persistent data resides in the system’s hard drives or other nonvolatile storage devices (e. CD-ROMs. cache.. and other external hard drives) and is typically not lost when the machine is shut down or rebooted. For volatile data collection.

or—worst case—force a reboot and lose all volatile data. you can use the collected data and a reproducible methodology to reconstruct a logical representation of the current state of the suspicious system. Obviously.file access dates and times. you can not make a bit-by-bit copy of a live computer. These potential effects should have been uncovered and documented during Module 2’s tool testing phase of creating a first responder toolkit. trigger the execution of malicious software (malware). But if you use best practices and a first responder toolkit. use shared libraries or DLLs. 90 CMU/SEI-2005-HB-001 .

CMU/SEI-2005-HB-001 91 . process table. The order of volatility for Windows and Linux computers is the same [Brezinski 02]. consider the data’s order of volatility: that is.e. kernel statistics. and so on © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. you collect data that has the highest chance of being changed. This module focuses on data stored in RAM. or lost first. disk. It shows how to collect this data safely and securely while minimizing the footprint you leave on the suspicious computer.5 Order of Volatility As you collect data (i.Or d er of Vola tility Registers and cache Routing table. potential evidence) from a live computer. arp cache. connections Temporary file systems Hard disk or other nonvolatile storage devices Remote or off-site logging and monitoring data Physical configuration and network topology Archival media such as backup tapes.. modified.

For example.6 Why is Volatile Data Important? Volatile data stored in RAM must be obtained immediately after the security incident is reported so that data about the current state of the computer—including logged on users. you may have enough data to determine that the initial alert that flagged this computer is valid.Wh y is Vola tile Da ta Im por ta n t? Gain initial insight - Current state of the system What activities are currently/were being executed Validity of the alert that flagged the suspicious computer Root of the problem Determine a logical timeline of the incident - Identify the time. After you collect as much volatile data as you can. you will have to remove it remotely and then verify if it is malicious. decide on the next step. 92 CMU/SEI-2005-HB-001 . it’s too late! © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. date. This data helps you determine a logical timeline of the security incident and the possible users responsible. a likely root cause. running processes. You may then discover a rogue process. and user responsible for the security incident Determine next step Decide whether a full collection of the persistent data on the suspicious computer is necessary One chance to collect - After the system is rebooted or shut down. And if the rogue process is running on a critical asset. and open connections—can be collected. The key is to view the suspicious computer as completely unreliable until—using the methodology and tools described in this module—some level of trust is established.

7 Common First Responder Mistakes Because many first responders play dual roles as system and network administrators. they may never consider developing a volatile data collection methodology. For the methodology to be successful. Swamped with routine day-to-day tasks. Closing an open shell or terminal may have the same effect. time bombs. • assuming that some parts of the suspicious computer are reliable In this case. they have little time to properly plan for and then handle security incidents. first responders should avoid the two most critical mistakes: • shutting off or rebooting the machine In this case. and other malware to delete key volatile data. using native commands on the suspicious computer may trigger Trojans. CMU/SEI-2005-HB-001 93 .Com m on F ir st Respon d er Mista kes Shutting down or rebooting the suspicious computer Assuming that some parts of the suspicious machine may be reliable and usable s to ces tion g ac a avin ument h Not e doc e elin bout th puter bas m a s co iciou usp s © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. though. all volatile data is lost: connections and running processes are closed and MAC times are changed.

is to remove the OS and reload it from the original installation media. It provides a documented approach for performing activities in a coherent. we need to provide a sound volatile data collection methodology. Having a methodology is important. 94 CMU/SEI-2005-HB-001 . To avoid these drawbacks. The actual data collection is not performed until the final step. Often.Vola tile Da ta Collection Meth od ology © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. an administrator’s default action. Harlan Carvey [Carvey 04] states that most system administrators do not have a clear process to follow when responding to security incidents. Several drawbacks are that a root cause analysis is never done and reloading the OS takes the system out of service. Develop and use this methodology so that you collect volatile data the first time: you only get one chance.8 Volatile Data Collection Methodology Before we introduce specific tools. and repeatable manner [ICH 03]. an initial forensic collection of the volatile data on the live system should be performed. What follows is a six part methodology for first responders to use when volatile data has to be collected from a live computer. consistent. due to lack of knowledge or time. accountable.

You can. the following items should be in place.S tep 1: In cid en t Respon se P r epa r a tion Forensic Tool Test Bed First responder toolkit Creation of Collection policies © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. you can never eliminate or even anticipate every type of security incident or threat. Before an incident occurs.1 Step 1: Incident Response Preparation As a first responder.8. be prepared to react successfully and swiftly so that you can collect all types of volatile data from a live computer. however. • • • a first responder toolkit (response disk) an incident response team (IRT) or designated first responder (NIST’s guidelines [NIST 01] are a good resource) forensic-related policies that allow for forensic collection CMU/SEI-2005-HB-001 95 .

8. be straightforward and consistent so that your generated profiles and logs are organized and readable. The checklist shown in the graphic is taken from Foundstone’s Incident Notification Checklist [Mandia 01].2.2 Step 2: Incident Documentation In your incident documentation. • • • • • • • How was the incident detected? What is the scenario for the incident? What time did the incident occur? Who or what reported the incident? What hardware and software are involved? Who are the contacts for involved personnel? How critical is the suspicious computer? 96 CMU/SEI-2005-HB-001 . These best practices provide an audit trail of the chain of custody for the security incident. Stamp your logs with the time. and identity of the person performing the forensic collection.8. use consistent naming conventions for forensic tool output. date.S tep 2: In cid en t Docu m en ta tion Incident profile Forensic collection logbook First responder toolkit documentation © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. 3. Use the following profile information to determine your volatile collection strategy or next course of action.1 Incident Profile Document as much information about the security incident as possible. For example.

3.e.2.8. use a logbook (i.8.3 First Responder Toolkit Logbook As you collect volatile data. It contains information about forensic tool usage. a text file or notebook) to document all of your actions. changed MAC times for specific files) as first responder tools are executed (these effects were discovered in Module 2) 3. and system affects for each collection tool or native command you tested. output.e.2 Forensic Collection Logbook During your forensic collection. The logbook provides a timeline of events and an audit trail if unforeseen things occur during the collection. CMU/SEI-2005-HB-001 97 .. refer to the first responder toolkit logbook that was created in Module 2.2. Include the following: • • • • • who is performing the forensic collection history of executed forensic tools and commands generated forensic tool and command output date and time of the executed commands and tools expected system changes or effects (i.. Use the logbook to determine which tools are the best for your situation.

(See Module 1. • • • Examine any policies the user of the suspicious computer has signed.org/advisories/CA-1992-19. As necessary.org/security-improvement/practices/p044.org/tech_tips/win-UNIX-system_compromise.cert.html CERT® Advisory CA-1992-19 Keystroke Logging Banner http://www. In particular. make sure that you do not violate any rights of the registered owner or user of the suspicious computer.html#A.) We recommend that first responders read the following CERT Coordination Center publications before collecting any data: • • • Establish Policies and Procedures for Responding to Intrusions http://www. Determine if the user consented to monitoring either through a signed policy statement or through system banners.1 98 CMU/SEI-2005-HB-001 .cert.S tep 3: P olicy Ver ifica tion Determine your authority to collect Determine your manner to collect © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. determine the legal rights (including a review of federal statutes) that the user has so that you can determine what forensic capabilities and limitations you have.8.html Steps for Recovering from a UNIX or NT System Compromise http://www.3 Step 3: Policy Verification Make sure that any actions you plan to take as first responder do not violate any existing computer and network usage policies.cert.

USB) Machine connected to the network © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3.. Use the first responder toolkit logbook and the questions from the graphic to develop a collection strategy that will address your situation and leave the smallest possible footprint on the suspicious computer. CD-ROM.S tep 4: Vola tile Da ta Collection S tr a tegy Types of volatile information to collect Tools and techniques that facilitate this collection Location for saved forensic tool output Administrative vs. CMU/SEI-2005-HB-001 99 . floppy.e. user access Type of media access ( i.4 Step 4: Volatile Data Collection Strategy No two security incidents will be the same.8.

e.) to collect forensic tool output.1 Establish a Trusted Command Shell As stated earlier.S tep 5: Vola tile Da ta Collection S etu p Establish a trusted command shell Establish the transmission and storage method Ensure the integrity of forensic tool output © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. 3. floppy. do not open or use a terminal or command shell from the suspicious computer. etc. If the suspicious computer is a Linux system running X-Windows.5. Therefore.8. Two reliable freeware utilities that transmit data remotely via a network are Netcat and Cryptcat. Netcat is a networking utility that reads and writes data across network connections using the TCP/IP protocol. identify and document how that data will be transmitted from the live suspicious computer to the remote data collection system. exit X-Windows. USB drive.8. It is designed as a reliable "back-end" tool that can be used directly or 100 CMU/SEI-2005-HB-001 . you do not want to make that common first responder mistake of trusting any parts of the suspicious computer.8. Some UNIX flavors have a vulnerability that allows attackers to log your keystrokes [Mandia 01].2 Establish a Method for Transmitting and Storing the Collected Information Because you may not have enough space on your response disk (i. The response disk that was developed during Module 2 should include a trusted command shell along with the forensic tools.5 Step 5: Volatile Data Collection Setup 3.5. This will minimize the footprint on the suspicious computer and prevent the triggering of any kind of malware that have been installed on the system..

compute an MD5 hash of it. able to create almost any kind of connection you need and with several interesting built-in capabilities [GNU 04]. When an electronic file is transferred or sent to another party.3 Ensure the Integrity and Admissibility of the Forensic Tool Output To ensure the integrity and admissibility of forensic tool output. Figure 8: An MD5 Hash CMU/SEI-2005-HB-001 101 .8. It is also a feature-rich network debugging and exploration tool. It ensures data confidentiality while transmitting it over networks and is particularly useful if you suspect a network sniffer. a rehash verifies its integrity. Cryptcat is a lightweight version of netcat with integrated transport encryption capabilities. 3.5.driven by other programs and scripts.

4. date. time. generate the date and time to establish an audit trail. and command history. and command history for the security incident. Collect all types of volatile system and network information. End the forensic collection with date. Begin a command history that will document all forensic collection activities. 102 CMU/SEI-2005-HB-001 . 5. 2.6 Step 6: Volatile Data Collection Process Now you are ready to collect volatile data. As you execute each forensic tool or command.8. © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. The remaining sections of this module describe each data type and specific tools for collecting it. Collect uptime.S tep 6: Vola tile Da ta Collection P r ocess 1. 3. time.

9 Types of Volatile Information Two types of volatile data that can be collected from the suspicious computer: system information and network information. The forensic collection tools that are described in the balance of this module are organized by these two data types. CMU/SEI-2005-HB-001 103 .Types of Vola tile In for m a tion Volatile System Information: A collection of information about the current configuration and running state of the suspicious computer Volatile Network Information: A collection of information about the network state of the suspicious computer © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3.

clipboard data Logged on users DLLs or shared libraries © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. probable causes. start up files. 104 CMU/SEI-2005-HB-001 .9.Vola tile S ystem In for m a tion System profile Current system date and time Command history Current system uptime Running processes Open files. while not exhaustive. configuration. and users for you to begin to understand the severity. and perpetrator of the security incident.1 Volatile System Information This list of volatile system information types. reveals enough details about the suspicious computer’s current state.

This profile provides a physical “snapshot” of the computer and is often requested by a forensic examiner. Ideally.S ystem P r ofile Definition: Describes the suspicious computer’s configuration systeminfo uname cat Purpose: To document the baseline configuration for comparison purposes psinfo © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3.9. The system profile includes the following details about the configuration of the suspicious computer: • • • • • • • • OS type and version system installation date registered owner system directory total amount of physical memory pagefile location installed physical hardware and configurations installed software applications The following sections describe tools and commands for collecting this information.1.1 System Profile The system profile describes the baseline configuration of the suspicious computer. CMU/SEI-2005-HB-001 105 . system and network administrators create these profiles for all computers within their IT and network infrastructures. but if one doesn’t already exist for the suspicious computer. create it now.

In Figure 10. Use it to query for types of installed software.exe command does not show you. PsInfo is versatile. the PSInfo creates profiles of the local system.exe (Windows) The native systeminfo. we used Psinfo to query the suspicious computer for the number of applications installed. 106 CMU/SEI-2005-HB-001 . hard drive size. You can run it remotely by specifying a username and password of the suspicious computer. PsInfo relies on remote registry access to obtain data on non-local systems.exe command allows you to create a system profile that includes • • • • • • • registered owner original install date system uptime BIOS version system directory logon server number of network cards installed Figure 9: The systeminfo Command PsInfo (Windows) Sysinternals’ PsInfo also allows you to create a system profile to include installed software packages and hot fixes. hot fixes. By default.Systeminfo. and remaining unused space. which the Systeminfo. The remote system must be running the Remote Registry service and the account from which you run PsInfo must have access to the HKLM\System portion of the remote registry [Russinovich 04a].

meminfo. and the OS kernel version. the OS release. Figure 11: The cat Command Uname (Linux) The native uname command allows you to create a system profile that includes machine name. machine’s network node hostname. CMU/SEI-2005-HB-001 107 . the type of processor. uptime. filesystems. and cpuinfo files located in the proc file.Figure 10: The PsInfo Command Cat (Linux) The native cat command allows you to create a system profile by displaying file contents of the version.

Figure 12: The uname Command If you did not know the kernel version on the suspicious computer. this information is particularly important. 108 CMU/SEI-2005-HB-001 . An old kernel that hasn’t been patched or recompiled may have vulnerabilities that are well documented by the vendor.

1. and command history are important throughout the forensic collection process. During data collection. time. If the suspicious computer has CMU/SEI-2005-HB-001 109 .2 Current System Date and Time and Command History The system date.Cu r r en t S ystem Da te a n d Tim e a n d Com m a n d H istor y Purpose: Documents the start of your data collection Gain insight to recent command or terminal activity Documents the end of your data collection date doskey date history © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. It includes a list of recently executed commands performed by a local or remote user within an established terminal or command shell. Figure 13 shows how the native date and time commands can be used with a native forensic command like netstat to document at what time and date you executed the netstat command. the first responder uses the current date and time to document when he discovered the suspicious computer and started collecting volatile data. Figure 13: date and time Commands Used with netstat In both Linux and Windows the command history reveals recent activities of the suspicious computer’s user(s). he uses the current date and time to document when each forensic tool or command was executed. These date and timestamps are critical to admissible data and easy to obtain from native OS commands and free open source tools.9. Initially.

collect the command history for each one. But be advised. After you are done collecting data from the suspicious computer. use a native OS command or freeware utility to collect the command history. As stated earlier. For the current command history. you lose the command history if the open Windows command shell is closed. A collected command history also functions as an audit trail of first responder actions. time. and command history do the following: • • Determine if there is any discrepancy between the collected time and date and the actual time and date within your time zone. The same is not true for Linux systems: you can still recover a command history if a terminal is closed. or anti-virus software 110 CMU/SEI-2005-HB-001 . determine if administrative commands have been abused to − − − − add user accounts change NIC configuration install unauthorized software applications disable security logging. Windows history log is virtual while Linux’s is persistent.more than one user account. As you collect a suspicious system’s current date. firewalls.

1.Cu r r en t S ystem Uptim e Definition: Indicates how long the system has been running since the last reboot. And it may not be worthwhile if the security incident occurred before the beginning of the uptime period. It uses the Performance Data Helper library to easily read the System Up Time performance counter on the local or remote computer.3 Current System Uptime System uptime is the period of time that the system has been running since its last reboot. Figure 14: The PsUptime Command CMU/SEI-2005-HB-001 111 . PsUptime (Windows) SysInternals’ PsUptime tells you how long a Windows system has been up. the system has been rebooted recently and it may not be worthwhile to collect volatile data. Purpose: Helps determine if volatile data collection is worth performing Indicates whether the security incident occurred during the uptime period psuptime systeminfo uptime w © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3.9. For example. It can help the first responder determine if a volatile data collection is worth performing. if uptime is only a few minutes.

e.exe \\<computer name>). the machine has been up for approximately one hour and eight minutes from an initial logon at 7:33 p. Figure 15: The net statistics Command Uptime and W (Linux) The native uptime and w commands allow you to collect uptime information..To gather information on a remote computer. net statistics workstation or server). Net Statistics (Windows) The native net statistics command also allows you to collect uptime information (i. simply specify the computer’s name with the command: psuptime. In Figure 16.m. Figure 16: The uptime and w Commands 112 CMU/SEI-2005-HB-001 .

first responders should compare each running process’ PID (process identifier) or process filename to a list of legitimate system and application processes. CMU/SEI-2005-HB-001 113 . Rogue processes can be created and started independently and are often named for legitimate processes.1.9.Ru n n in g P r ocesses -1 Purpose: Identifies legitimate versus malicious processes Identifies unauthorized running software applications Identifies premature termination of legitimate processes netstat pulist tlist pslist ps w top fuser © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. To address this problem. Uniblue [Uniblue 04] provides a list of legitimate processes for Windows systems on their Web site.4 Running Processes Examine the list of currently running processes to identify unnecessary or possible rogue (malicious) processes. which can make them extremely difficult to identify.

Therefore. authorized activities) • Processes that have terminated prematurely • Processes that are run at unexpected times • Processes that have unusual user identification associated with them © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data Harlan Carvey [Carvey 04] recommends documenting this set of characteristics for each running process: • • • • • • the process’ executable image the command line used to initiate the process how long the process has been running the security context that it runs in modules or libraries (DLLs) it accesses memory that the process consumes Currently. the following examples show you how to use a combination of commands and utilities to assess process PID (2928).e. those not due to normal..Ru n n in g P r ocesses -2 What to look for: • Unusual filenames or extra processes (i. 114 CMU/SEI-2005-HB-001 . no single utility comprehensively assesses running processes.

Use Sysinternals’ ListDLLs to determine the command line used to execute the process.1. Use Sysinternals’ PsList to discover how long firefox. Figure 18: Using ListDLLs to Determine Command Line 3. Use netstat –ab output to determine that the executable file for process PID (2928) is firefox.exe.exe (the 2928 process) has been running. Figure 19: Using PsList to Determine How Long a Process Has Been Running CMU/SEI-2005-HB-001 115 . Figure 17: Using netstat –ab to Determine Process Executable Image 2.

svchost1.exe process is currently consuming. In Figure 22. Use Sysinternals’ PsList to discover how much virtual memory the firefox.exe.4.exe . Figure 20: Using PsList to Determine How Much Virtual Memory a Process Is Using 5.exe.exe. klogger. the following four processes are well-known rogues: tini. and qfskrtwj. Figure 22: Pulist Output 116 CMU/SEI-2005-HB-001 . Figure 21: Using ListDLLs to Discover the Currently Loaded DLLs for a Process Pulist (Windows) Pulist output can be examined for unexpected process filenames and unusual user identifications.exe process. Use ListDLLs to discover the currently loaded DLLs for the firefox.

exe.Tlist (Windows) Windows NT Server Resource Kit includes tlist.. allows you to view process and thread statistics on a remote computer. thread statistics). Figure 24: PsList CMU/SEI-2005-HB-001 117 . which lists active tasks and processes. Figure 23: tlist. unlike pmon and pstat.e.exe PsList (Windows) Sysinternals’ PsList combines outputs from pmon and pstat to show process CPU and memory information (i. PsList.

memory usage and runtime. create a process memory dump using the pmdump. Table 2: Pri: Thd: Hnd: Mem: VM: PsList Output Headings Priority Number of threads Number of handles Memory usage Virtual memory WS: WSPk: Priv: Faults: NonP: Working set Working set peak Private memory Page faults Non-paged memory Memory Dump To learn more about a suspected rogue process.exe utility and then perform string searches on the file (e.Table 2 shows definitions for the PsList utilities’ command output headings. use the Ctrl F command or the strings utility). Sort features can also be specified in the personal or system-wide configuration files. Figure 25 shows the command string required to create a dump of the running process called winlogin.. 118 CMU/SEI-2005-HB-001 . Top (Linux) The top command provides an ongoing look at processor activity in real time. Figure 25: A Process Memory Dump A better alternative is to export the running process’ executable image to a forensic tool testbed for closer analysis.g. It lists the most CPU-intensive tasks and includes an interactive interface for sorting processes by CPU usage.

press the appropriate key to update speed (s).Figure 26: The top Command Be aware that top can be configured to refresh at regular intervals so that results created immediately after each other may be different. Figure 27: The w Command CMU/SEI-2005-HB-001 119 . hide idle processes (i). W (Linux) The w command displays the current processes for each shell of each user. or kill a processes (k). While top is running.

8. 2203 View all processes with full command lines 120 CMU/SEI-2005-HB-001 . A ptsn or ttypn may signify a connection over the network. Figure 28: The ps Command Figure 28 displays information about the root’s currently running processes. A ttyn (where n is zero or a positive integer) signifies a logon at the console (a user logging on to the system from the local console or keyboard). 8. along with the netstat command. is one of the most powerful Linux administrative management commands. LOGIN@ IDLE JCPU PCPU WHAT Local starting time of the connection Length of time since the last process was run Time used by all processes attached to the tty or pts Processor time used by the current process in the WHAT column Process that the user is currently running Ps (Linux) The ps command.Output includes the following fields [Mandia 01]: Table 3: Field TTY w Command Output Fields Description Control terminal assigned to the users session. FROM Fully qualified domain name or numerical IP address of the remote host. A hyphen (-) in this field corresponds to a local logon at console. 2203 $ ps –efww A Subset of ps Options Description View current processes View other system users running processes View all occurrences of a program View selected processes 4. Table 4: Option $ ps –ux $ ps –U user $ ps –C program_name $ ps –p4. A subset of the ps command’s 80 options that are most useful to first responders are listed in Table 4 [Barrett 04].

in kilobytes CMU/SEI-2005-HB-001 121 .Table 5 describes some output headings for ps and top output [Nemeth 01]. Table 5: Field USER PID %CPU %MEM VSZ RSS TT STAT Current Process Status R= Runnable I = Sleeping (< 20 sec) T = Stopped Additional Flags L = Some pages are locked in core (for rawio) S = Process is a session leader (head of control terminal) W = Process is swapped out + = Process is in the foreground of its control terminal START TIME COMMAND Time the process was started CPU time the process has consumed Command name and arguments D = In disk wait S = Sleeping (> 20 sec) Z = Zombie Output Headings for ps and top Description Username of the processes owner Process ID Percentage of the CPU this process is using Percentage of real memory this process is using Virtual size of the process.

local] © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3.5 Open Files. modification of. files are created that allow the malware to start (when the system is rebooted) or continue to run (when the user logs out). images. such files are generally created with the startup folders for Windows computers or within the rc. Therefore. Look for valuable data like passwords.local file for Linux. a n d Clipboa r d Da ta Purpose: Insight to recent user activity Recover temporarily stored pictures or docs Recover used passwords Insight to unauthorized access to. For example.Open F iles. Dir (Windows) The native dir command lists the last access times on files and folders.9. or creation of files dir afind Macmatch autorunsc Handle & Pclip ls find lsof file Cat [/etc/rc. collect and document the following data: • • • open or recently created documents startup files and programs Dates and Times associated with MAC times for critical folders and files like Windows System32 folder and Linux’s proc file Examine this data as follows: • • • Review open files for sensitive data or information that may be relevant to the security incident. 122 CMU/SEI-2005-HB-001 . and Clipboard Data When malware such as a Trojan or Rootkit infects a system.1. and pieces of documents on the clipboard. Startup Files. S ta r tu p F iles. Search for unusual MAC times on critical folders and startup files.

Figure 29 shows how to collect the last access times on all files and folders within the c:\ drive. Figure 29: The dir Command The native dir command includes the following options: Table 6: Option /t: a /a /s /o:d dir Command Options Description Displays the last access field to be displayed and used for sorting Displays all files….g. With options. you can specify certain folders (e.Plus any hidden files Displays files in specified directory and all subdirectories Displays files in sorted order by date CMU/SEI-2005-HB-001 123 .. System32).

Usage is shown in Figure 31. which includes a search within a certain timeframe for recently accessed files such as the tini. you can compare access times with logon information provided from ntlast and begin to determine user activity even if file logging had not been enabled.exe.Afind (Windows) Figure 30 shows how to search for a file’s access time within a specified location. or creation time without changing any of these times [Vidstrom 04]. MACMatch (Windows) NTSecurity. 124 CMU/SEI-2005-HB-001 . last access. Figure 30: The afind Command By specifying the general time period of the security incident.nu-developed MACMatch allows you to search for files by their last write.

All three products provide much more detail than Windows’ Msconfig utility. Figure 32: Autorunsc CMU/SEI-2005-HB-001 125 . Both incorporate a GUI.Figure 31: MACMatch Autorunsc (Windows) Sysinternals’ Autoruns and DiamondCS’ Autostart are freeware utilities that list files in the startup areas. which is a drawback: Autorunsc is Autoruns command-line version.

126 CMU/SEI-2005-HB-001 . toolbars. auto-start services. You can use it to see the programs that have a file open. including Windows Explorer shell extensions. and it also allows you to close opened files either by name or by a file identifier [Russinovich 01]. PsFile and Handle (Windows) Unsaved files or edits are lost after the system is shut down. PsFile is a command-line utility that shows a list of files on a system that are opened remotely. Autorunsc [Russinovich 04b]. programs with open files. Also included in the download package is a command-line equivalent that can output in CSV format. and the names of all program handles. Sysinternals’ PsFile and Handle utilities allow you to display open files (executables and user-created). winlogon notifications. and much more. Autoruns’ “Hide Signed Microsoft Entries” option helps you to zoom in on thirdparty auto-starting images that have been added to your system. Programs include ones in your startup folder and Run. RunOnce. or to see the object types and names of all the handles of a program [Russinovich 04c]. You can configure Autoruns to show other locations. and other registry keys. Figure 33: PsFile Handle is a utility that displays information about open handles for any process in the system.Autoruns has a comprehensive knowledge of auto-starting locations and shows what programs are configured to run during system bootup or login in the order Windows processes them. browser helper objects.

allows you to list files and their file access times. In Figure 36. ls –alRu displays the last access times for files in the root folder.In Figure 34 we demonstrate how we can utilize the handle. Ls (Linux) The native ls command. Figure 35: Pclip In Figure 35. Figure 34: Handle Pclip (Windows) Two freeware utilities. like the Windows dir command. or image. The clipboard is nothing more than an area of memory for temporarily holding information [Carvey 04]. password. allow you to dump the Windows clipboard contents: a document fragment. CMU/SEI-2005-HB-001 127 . pclip displays a copied text string.exe utility to look at all open handles for the potential rogue process svchost1. GNU’s pclip utility and Harlan Carvey’s Perl script.

usually called the global permissions. The owner of the object is given in the third column and the group the object belongs to is in the fourth column. root owns anaconda-ks. Remember that root always has the ability to change the permissions on any file or directory. a directory (d).Figure 36: The ls Command For Linux. enter the following command: ls – alct 128 CMU/SEI-2005-HB-001 . write (w). In Figure 36. and execute (x).cfg and has read and write access.1 root − − − − − root 2823 Nov 1 20:40 The first character in the above line specifies whether the object is a file (-). The next group of three characters defines the read. write. or a link to another file or directory (l). and execute permissions (in that order) for the owner of the object. To display all files sorted by the last modification time and date of each file. enter the following in a terminal window: # ls –la A sample output is as follows [CAE 04]: -rw-r--r-. To check file permissions for all the files in your current working directory. The group and everyone else can only read the file. three different permissions are tracked for every file and folder on the hard drive: read (r). The final group describes the permissions for everyone else. The next group of three characters describes the permissions for the group that controls the object.

Use a long listing format. the command and user that opened the file as well as the file’s size and PID. The +D [directory] parameter shown in Figure 38 forces lsof to perform a full-descent directory tree search for open files within a specific directory. You can discover. CMU/SEI-2005-HB-001 129 . List subdirectories recursively Show last access time Show last modification time Sort list by time Lsof (Linux) The native lsof command allows you to list information about open files and the processes that might have launched them. Table 7: Parameter -a -l -R -u -c -t Common ls Parameters Function Do not hide entries starting with a.Figure 37: Using ls – alct to Show Last Modification Date and Time Common ls parameters are listed in Table 7. among other things.

Figure 38: lsof +D The –i option displays all Internet and x. Figure 39: lsof -i Find and Locate (Linux) The find [directory] [option] [filename] command searches for particular filenames as well. Figure 40: The find Command The locate [filename] command searches the complete file system for references to the filename you specify. 130 CMU/SEI-2005-HB-001 .25 (HP-UX) network files.

Figure 41: The locate Command Unlinked Files (Linux) Unlinked files are marked for deletion when processes that access them terminate [Mandia 01]. Figure 42: The lsof +L1 Command CMU/SEI-2005-HB-001 131 . use the lsof +L1 command as shown in Figure 42. To display open files that have been unlinked and marked for deletion. Because they disappear when the system is powered down. you should attempt to recover them.

When the operating system goes through a normal shutdown. This information may help you identify a rogue or Malware application that starts at one of the five runlevels. the file systems are mounted. note that the link count does not equal zero until the process terminates. and the file's deletion time is set.” Some versions of fsck will re-link the orphaned file to the lost+found directory. the link count is decremented by one. If the utility comes across a file with a positive link count and a deletion time set. but this is not something that you can rely on. On the next boot-up. which is a positive integer representing the number of processes currently using the file. the program on the hard drive is removed from the directory chain (so it will not be displayed in an ls listing). it will decrement the link count. that means no process is using or needs the file. The attacker is unlinking the file. so it will be deleted. The fsck utility will scan the entire file system for damage. This means that the link count on the deleted file is set to zero. Most of the time. every process is forced to close. Chkconfig (Linux) The chkconfig –list command displays a list of startup services that will be run at the five different runlevels. When UNIX mounts a file system. UNIX tracks a file's link count. and the dirty bit remains set. the file system is un-mounted. Files marked for deletion (these are the unlinked files) at the time a system is powered down—whether gracefully (through normal shutdown procedures) or not (you pulled the power cord)—will ultimately end up deleted on the system. After all processes have exited and other general housekeeping items have been completed. However. Unlinked files may still have false link counts. the administrator will be forced to wait while the system performs a file system check (fsck). When the link count equals zero. a “file system dirty” bit is set. and all file handles are closed. If the OS goes through a traumatic shutdown. 132 CMU/SEI-2005-HB-001 . he usually deletes the program file he executed from the file system in an effort to hide his actions. rendering the file “deleted. the file system is left in an unstable state. The attacker’s process terminates normally. Let's examine why. He is not truly deleting the program on the hard drive. and the file system dirty bit is cleared. and the operating system detects the nonzero value of the dirty bit. When an attacker deletes his rogue program.How UNIX deletes a file is best described by Prosise and Mandia [Mandia 01]: When an attacker runs a process.

When chkconfig is run without any options. It describes which processes are started at bootup and during normal operation. If it is.Figure 43: The chkconfig –list Command chkconfig has five distinct functions: adding new services for management. it displays usage information. chkconfig returns true. changing the startup information for services. The --level option may be used to have chkconfig query an alternative runlevel rather than the current one [Haas 04]. otherwise it returns false. removing services from management. listing the current startup information for services. and checking the startup state of a particular service. Valid runlevels are 0-6 and as we can see in Figure 44. If only a service name is given. Inittab File (Linux) The inittab file displays and describes the five runlevels. it checks to see if the service is configured to be started in the current runlevel. CMU/SEI-2005-HB-001 133 . it is set to initdefault setting of 3.

and reboot runlevels and on at multiuser without NFS. full mulituser.Figure 44: The Inittab File In the above example. Attackers often schedule a malicious file to execute periodically so that the malware remains existent. single user. and X11 runlevels. the sshd service is off at the halt. usually in the /var/cron/log or in the default logging directory in a file called cron. Figure 45: A Cron Log 134 CMU/SEI-2005-HB-001 . collect the currently scheduled tasks. All executed cron jobs are logged. Cron Logs (Linux) In addition to startup services and open applications and files. unused. The cron feature allows system administrators to schedule programs for future execution.

1. Pay attention to the following: • • • • • recently added user accounts escalated privileges for existing user accounts remote access accounts added to the system (remote users generally access the system through a shared drive.9. logged off.6 Logged On Users The tools in this section help you identify logged on users. at least one user is generally logged on locally and others may be logged on remotely. or printer) the total number of local and remote users that have access to the system or are currently logged onto the system times that the users logged on to the system. folder. backdoor. When you approach a suspicious computer.Logged On User s Purpose: To determine the total number of authorized users that have access to the system Netusers who last lastlog cat [/etc/passwd] cat [/etc/shadow] To determine the access times of local and remotely connected users What to look for: Recently added user accounts Escalation of user account privileges Local and remote user accounts © 2005 Carnegie Mellon University Psloggedon Net NTLast DumpUsers Module 3: Collecting Volatile Data 3. and the period during which they remained logged onto the system CMU/SEI-2005-HB-001 135 .

a freeware utility. Figure 47: PsLoggedOn 136 CMU/SEI-2005-HB-001 .Netusers (Windows: Local Users) SomarSoft’s Netusers. allows you to display locally logged on users. and no user is logged on via resource shares. It can display current interactive users or all users who have ever logged on through the computer [SystemTools 04]. Figure 46: Netusers PsLoggedOn (Windows: Local and Remote Users) Sysinternals’ PsLoggedOn. allows you to display locally and remotely logged on users. In Figure 47.m. the machine was logged on to at 2:30 p. a freeware command-line utility.

CMU/SEI-2005-HB-001 137 . you will not get any information. If it is not. client type. If they use the command without command-line switches. NTLast (Windows: Remote Users) The NTLast utility from Foundstone can be used to collect event logs associated with logon attempts on the suspicious computer. Figure 49: NTLast For NTLast to work. it displays the remote computer’s name. the audit log feature had to have been enabled through the suspicious computer’s Local Security Policy. Generally. system administrators use net user to create and modify user accounts on computers. Figure 48: The net user Command Net (Windows: Remote Users) The native net [session] command displays information about remote connections established with the suspicious computer. IP address. all user accounts for the computer are displayed. and idle time.Net (Windows: Local and Remote Users) The native net [user] command displays all local and remote users. For each connection.

The who –uH command displays the idle times for logged on user(s).nu’s DumpUsers utility dumps account names and information even though RestrictAnonymous has been set to 1. the time they logged on. Figure 50: DumpUsers The command line options selected in Figure 50 are as follows: • • • • • Target (suspicious computer): XPCOMPROMISEDVM Type: notdc (not a domain controller) Start: 500 (the RID from which to start collecting information) Stop: 502 (the RID from which to stop) Mode: verbose Who (Linux: Local Users) The native who command displays the user that is currently logged on locally. who lists the name of each user currently logged in with their terminal. 138 CMU/SEI-2005-HB-001 . Idle times can be good indicators of a logged on user’s previous activity. Supply an optional system file (default is /etc/utmp) to obtain additional information. With no options. Who –uH (Linux: Local Users) The native who am i command lets you quickly determine the currently logged on user.DumpUsers (Windows: Local Users) NTSecurity. and the name of the host from which they have logged in. Who Am I.

CMU/SEI-2005-HB-001 139 . and the last system clock change. active processes spawned by init. Figure 52: The who –q Command Who –all/–a (Linux: Local and Remote Users) The native who –all or who –a commands display all currently logged on users. the current run level. local and remote. It also prints any dead processes. system login processes. the command displays the time of the last system boot and users currently logged on. Without any parameters.Figure 51: The who –uH Command The native who –q command displays all logged in user names and the number of logged in users.

Specify a user for user-specific details. By default. W (Linux: Local and Remote Users) The native w command displays summaries of system usage. Login information is read from the /var/log/lastlog file. recent logins from the /var/log/wtmp file are included. 140 CMU/SEI-2005-HB-001 . and ps -a. local and remote.or terminal-specific output. who. Specify a tty number or username for user. Figure 53: The last Command Lastlog (Linux: Local and Remote Users) The native lastlog command displays the last login times for system accounts.Last (Linux: Local and Remote Users) The native last command displays a history of logged on users. currently logged on users. This command is a combination of uptime. and logged on user activities.

Figure 54: The w Command Passwd (Linux: Local and Remote Users) The /etc/passwd text file contains user account information, including one-way encrypted passwords. To display the file, use the cat /etc/passwd command.

Figure 55: The cat /etc/passwd Command Shadow (Linux: Local and Remote Users) The /etc/shadow text file contains password and optional password aging information and is readable only by the root user.

CMU/SEI-2005-HB-001

141

Figure 56: The cat shadow Command As in the /etc/passwd file, each user’s information is on a separate line. Each line has nine fields, delineated by colons: • • • • • • • • • username encrypted password date password last changed number of days before password can be changed number of days before password can be changed number of days before password change is required number of days warning before password change number of days before the account is disabled date since the account has been disabled

142

CMU/SEI-2005-HB-001

DLLs or S h a r ed Libr a r ies
Purpose:
To determine possible rogue or modified DLLs and shared libraries

What to look for:
Versions Unfamiliar filenames Recently added DLLs

listdlls.exe

ldd

© 2005 Carnegie Mellon University

Module 3: Collecting Volatile Data

3.9.1.7 DLLs or Shared Libraries
A DLL (or shared library) file contains functions that are compiled, linked, and saved separately from the processes that use them. Functions in DLLs can be used by more than one running process. The OS maps the DLLs into the process’ address space when the process is started or while it is running. The tools in this section help you identify currently loaded DLLs or shared libraries so that you can examine them and determine if any are rogue. Filenames for rogue DLLs may be unidentified or unfamiliar (best case) or they may be masked so that they appear to be legitimate even though they have been corrupted or trigger malicious activity when linked. As you use the tools in this section to identify DLLs, pay attention to the following: • • • processes that are using the running DLLs unfamiliar DLLs compare the list of DLLs for a process with the expected DLLs for that process (check for number of DLLs and their dates, which should be the OS install date unless patches and hot fixes have been applied)

CMU/SEI-2005-HB-001

143

ListDLLs (Windows) Sysinternals’ ListDLLs freeware utility displays all loaded DLLs with their version numbers, associates each loaded DLL with its application or executable, and flags loaded DLLs that have different version numbers than their corresponding on-disk files. In Figure 57, ListDLLs is run without options to produce a list of DLLs.

Figure 57: Using ListDLLs Without Options to Produce a List of DLLs In Figure 58, ListDLLs is used to examine a suspected rogue process (svchost1.exe). In comparing svchost1.exe with the legitimate svchost.exe, significant differences in the types and numbers of loaded DLLs are found.

144

CMU/SEI-2005-HB-001

6 => /lib/libc. is significantly smaller than the list for httpd./apache (Unknown) libc. Differences could indicate a rogue process.2 (0x40000000) CMU/SEI-2005-HB-001 145 . ldd was used to compare the shared libraries of a known Apache server binary (httpd) to a so-called Apache server binary (apache). The list of shared library files for the apache binary.Figure 58: Using ListDLLs to Examine a Suspected Rogue Process ListDLLs can also be used to display the command lines associated with suspected and legitimate processes. Ldd (Linux) The native ldd command displays the shared object files to which an executing binary links. Figure 59: The ldd Command In the following output.6 (0x4001f000) /lib/ld-linux. which makes apache suspect. however.2 => /lib/ld-linux. In Linux. each running process or application has loaded or shared libraries. $ ldd .so.so.so.so.

Figure 60: The ls Command For more details about default library locations.2 => /lib/libdb2.2 => /lib/libdb.so.so.2 (0x701b4000) libc.so.6 => /lib/libm.so.2 => /lib/ld-linux. ls is used to display contents of the lib folder.1 => /usr/lib/libexpat.2 (0x70120000) libexpat.so. see Wheeler’s discussion [Wheeler 03].so.6 (0x7002c000) libcrypt.so.so.so.1 => /lib/libcrypt.1 (0x70180000) libdl.so.2 (0x70000000) Ls (Linux) The native ls command can be used to display the shared libraries to which each executing binary links.so.$ ldd /usr/sbin/httpd (Known) libm.so.so.so.1 (0x700c4000) libdb.2 => /lib/libdl.2 (0x70100000) libdb2.so. In Figure 60.6 (0x701c8000) /lib/ld-linux.so.6 => /lib/libc. 146 CMU/SEI-2005-HB-001 .

Vola tile Networ k In for m a tion Open connections Open ports and sockets Routing information and configuration Network interface status and configuration ARP cache © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. If the machine is standalone or offline.2 Volatile Network Information The types of volatile network information included in this section are not exhaustive. CMU/SEI-2005-HB-001 147 .9. skip this step. but they are key indictors of the network state that can help you unravel the security incident.

and netuse) or backdoor connections on abnormal ports a promiscuously configured network card interface Do not expect to know what each open port on the suspicious computer is used for.cgi.treachery. examine the suspicious computer to see if a any type of cable connects it to a network.Open Con n ection s a n d P or ts Purpose: Identify all live connections Identify all open ports Insight into whom or what the system has been transmitting to or communicating with fport psservice promiscdetect netstat netstat ifconfig /var/log/messages What to look for: Unfamiliar established connections Unfamiliar IP addresses Unfamiliar ports open Network card configuration © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. ftp. ssh.net/tools/ports/lookup. As you use the tools in this section. collect and document the associated IP addresses and open ports. 148 CMU/SEI-2005-HB-001 . This initial collection of network information may be enough for you to determine whether the security incident was caused remotely or locally. To look up a port.9. look for the following: • • • unfamiliar IP addresses and ports legitimate (established through commands like telnet.1 Open Connections and Ports To begin collecting information about open connections and ports. visit www. After you establish all live connections.2.

pause. displays all open TCP/IP and UDP ports and maps them to the owning application. stop. PsService displays the status. Like the SC utility that's included in the Windows NT and Windows 2000 Resource Kits. like the native netstat –an command. for cases when the account from which you run it doesn't have required permissions on the remote system. PsService enables you to log on to a remote system using a different account. which identifies active instances of a service on your network. PsService includes a unique service-search capability. You would use the search feature if you wanted to locate systems running DHCP servers. Unlike the SC utility. and allows you to start. CMU/SEI-2005-HB-001 149 .Fport (Windows) The Fport freeware utility from Foundstone. configuration. Fport also maps those ports to running processes with the PID.foundstone. and dependencies of a service. and restart them. Figure 61: Fport A GUI-based commercial version of Fport is available at http://www. process name.com. and path. PsService (Windows) Sysinternals’ PsService freeware utility acts as a service viewer and controller for Windows NT/2K2000. resume. for instance [Russinovich 03].

To determine the adapter’s mode. the local address (MAC address). the IP address. It also displays the protocol of the connection. Multicast. look at the PromiscDetect’s output.nu’s freeware utility PromiscDetect checks to see if the network adaptor(s) are running in promiscuous mode. which may indicate that a sniffer is running on the suspicious computer. PromiscDetect is available at http://ntsecurity.nu/toolbox/promiscdetect. Figure 63: PromiscDetect Netstat –anb (Windows) The native netstat –anb command displays a list of current TCP/IP connections. If the filters returned are set at Directed. and Broadcast. the network card interface is not in promiscuous mode. and 150 CMU/SEI-2005-HB-001 .Figure 62: PsService PromiscDetect (Windows) NTSecurity.

the connection state. netstat has an additional switch (–o) that displays the PID for the process associated with each connection. which helps you identify mapped connections to shared drives on other computers. The nbtstat –s command displays the session table for the local system with destination IP addresses. For Windows XP systems. Net (Windows) The native net command can be used to determine if the local machine has any network shares or is connected to any network shares. CMU/SEI-2005-HB-001 151 . It also lists files that have been opened on the local system via a session established with a remote system over NetBios. Figure 64: The netstat –anb Command Nbstat (Windows) The native nbtstat command can collect information about recent network connections using the NBT (NetBIOS over TCP/IP) protocol.

local address. and multicast memberships so that you can map processes to open connections and sockets. interfaces. Without parameters. Figure 66: The netstat –anp Command 152 CMU/SEI-2005-HB-001 . The netstat –anp command displays the protocol.Figure 65: The net Command Netstat (Linux) The native netstat command displays information on active sockets. With the –p parameter. routing tables. it shows the process ID and name of the program that owns the socket. state. foreign address. netstat lists open sockets. masquerade connections. and program responsible for the open connection.

and promiscuous mode detection. gateway. there would be a Promisc flag next to Multicast to alert you that there is a network sniffer on this machine./var/log/messages (Linux) Look at /var/log/messages to determine if the network interface card is in promiscuous mode. In Figure 68. DNS servers. Figure 68: The ifconfig Command CMU/SEI-2005-HB-001 153 . Figure 67: /var/log/messages Ifconfig (Linux) The native ifconfig command displays the current configuration for a network interface. Displayed information includes IP address.

2.2 Routing Information As you use the tools in this section to collect routing information. Also. look at the ARP cache to identify recent connections.Rou tin g In for m a tion Why: To determine the recent connections made to the machine and the configuration of the routing table netstat -rn arp -a netstat -r arp -a What to look for: Statically added routes Unfamiliar IP addresses and MAC addresses © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. Make note of added or unfamiliar routes. 154 CMU/SEI-2005-HB-001 . be sure to pay attention to the suspicious computer’s routing table.9.

Netstat. Route (Windows) The native netstat and route commands allow you to collect routing information. The ARP cache also stores the MAC address to IP address translations for the last two minutes [Pierce 03]. MAC address. As shown in Figure 69. and type (dynamic or static). netstat –r displays all volatile active routes for the suspicious computer. The –a switch pulls the active ARP cache entries. Figure 70: The Windows arp Command CMU/SEI-2005-HB-001 155 . Figure 69: The Windows netstat –r Command Arp (Windows) The native arp command displays the following information about the suspicious computer’s network interface: IP address.

Figure 72: The Linux arp –a Command 156 CMU/SEI-2005-HB-001 .Netstat (Linux) The native netstat –rn command displays the current routing table and gateways for all routes on the suspicious computer. Determine whether there are any permanent ARP cache entries or whether ARP proxies were created. Figure 71: The Linux netstat –rn Command Arp (Linux) The native arp –a command displays route entries for the suspicious computer.

Summary Collected volatile data can lead the first responder to the root cause of the security incident.10 Summary The slide above summarizes the main points for Module 3. Volatile data can be easily changed and lost. Use a first responder toolkit to collect volatile data. Document all findings and actions performed during the volatile data collection process. CMU/SEI-2005-HB-001 157 . © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3.

11 Review 1. What utility will allow you to transmit volatile data to a remote workstation? © 2005 Carnegie Mellon University Module 3: Collecting Volatile Data 3. The chkconfig will allow you to collect a list of services that will start upon boot up.Review 1. 2. 158 CMU/SEI-2005-HB-001 . b. 5. to gain initial insight to determine a logical timeline of the computer security incident to determine the next course of action because you have one chance to collect volatile data You should never use native Windows or Linux commands on the suspect live host because the integrity of the suspect machine could be compromised. It is important to collect volatile data from a live machine for the following reasons: a. d. Why should you never use Windows or Linux native commands from the live host? 5. Why is it important to collect volatile data from a live machine? 4.exe utility will allow you to collect a list of currently loaded DLLs. 4. c. What Windows utility will allow you to collect a list of currently loaded DLLs? 2. The Netcat or Cryptcat utilities will allow you to transmit volatile data to a remote workstation. What Linux command will allow you to collect a list of services that will start upon boot up? 3. 3. The Listdlls.

This data plays an important part in any type of computer event investigation. Therefore. and Carnegie Mellon are registered in the U. a group must first agree on what they are talking about. CMU/SEI-2005-HB-001 159 . Distribution is limited by the Software Engineering Institute to attendees. Most epistemologists concur that for effective discussion to take place.S. persistent data can still be contaminated through improper handling.4 Module 4: Collecting Persistent Data Forensics Guide to Incident Response for Technical Staff Module 4: Collecting Persistent Data CERT® Training and Education Networked Systems Survivability Software Engineering Institute Carnegie Mellon University Pittsburgh. It also covers the location of common persistent data types. CERT Coordination Center. Patent and Trademark Office This material is approved for public release. While not as effervescent as volatile data. we define persistent data as that which remains unchanged after the computer has been powered off. PA 15213-3890 © 2005 Carnegie Mellon University ® CERT. This module reviews techniques for capturing persistent data in a forensically sound manner.

1 Objectives The primary objective of this module is to highlight the importance of handling persistent data in a forensically sound manner.Objectives Define persistent data Highlight importance of persistent data Learn consequences of improper examination to persistent data Learn proper techniques for capturing persistent data Learn the locations of common persistent data types © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4. It includes the following topics: • • • • • definition of persistent data importance of persistent data in responding to a security event consequences of improper examination proper techniques for capturing persistent data locations of common persistent data types 160 CMU/SEI-2005-HB-001 .

most users can search for files.2.2 Why is Persistent Data Important? Most forensics evidence is found in persistent data. With access to a computer.Introduction to Persistent Data What is persistent data? • Data in the physical media • Survives machine shutdown Why is persistent data important? • Majority of evidence is persistent data What problems exist in investigating persistent data? • Contamination through improper handling © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4.2. It is found on removable storage media as well as hard drives. precautions still need to be taken to ensure proper collection. investigate past Internet activity.2. cell phones. However.3 What Problems Exist in Investigating Persistent Data? Investigating persistent data is not usually complicated. 4. CMU/SEI-2005-HB-001 161 . While the details may differ. This definition is broad enough to include data held on disks. emails. 4. flash memory.1 What Is Persistent Data? Fundamentally. persistent data is retained and remains unchanged after the computer has been powered off. exploring the suspicious computer in this manner will alter evidence and make it far less useful. Despite its stable nature. and PDAs. the underlying philosophy of handling persistent data is the same across the different media. or even check for the presence of inappropriate programs. Web activity. and deleted files. Examples include documents.2 Introduction to Persistent Data 4.

This is determined by the indicators prompting the investigation (i.. if it is there. If the collection process takes a long time. 2.e. is to collect the entire haystack—highlights two issues: 1. harassing emails. 162 CMU/SEI-2005-HB-001 . inappropriate Web use. or malicious software). it can take even longer to comb through the haystack for the needle. It can take a long time to collect a haystack. it may be better to collect only those areas of the hard drive that have the highest probability of containing the information you seek.Applying the needle/haystack metaphor—the best way to get the needle. Depending on the situation.

3 Responding to a Security Event The following steps are possible responses to a security event. CMU/SEI-2005-HB-001 163 . By looking in the right places. and some are better than others. with a fair degree of accuracy. they may not be the best response. Unfortunately. • Identify the suspicious computer. and dig up (or at least discover the existence of) deleted files. there maybe legal consequences to satisfying one’s curiosity in this manner. − examine Web history − check or open connections − explore file structure for suspicious files or programs • Resolve the issue. there are several possible responses to a security event. However. an inquisitive user can.P ossible Respon se to a S ecu r ity E ven t • Identify suspicious computer • Examine suspicious computer • Resolve issue © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4. determine the user’s Internet activity. It is possible to discover useful information by directly accessing the suspicious computer. − patch (or re-image) machine − confront employee − call authorities Once a computer comes to the attention of a system administrator. examine emails. check for inappropriate material. − IDS alert − user complaint of poor/odd computer performance − user suspected of inappropriate computer use • Examine the suspicious computer.

the landlord has warned him that his identity and illicit activities have been discovered. The computer should be thought of as a crime scene. He finds a wallet. will wreak havoc on the future value of the information gathered. Once the perpetrator is confronted. the landlord’s enthusiasm to solve the problem really complicated the situation. while satisfying curiosity. who comes in.3. and looks behind pictures and under furniture. he was only testing the apartment’s integrity.Con sequ en ces of Respon ses Examine suspicious computer • Check or open connections • Examine Web history • Explore file structure for suspicious files or programs Resolve issue • Patch (or re-image) machine • Confront employee • Call authorities © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4. From another perspective. Consider this scenario: an apartment has been burglarized. the landlord has just solved the case with a minimum of fuss. By contaminating the crime scene and handling the evidence. From one perspective. goes through its contents. After all. He knows the identity of the burglar and can confront the perpetrator and attempt to resolve the situation. By confronting the thief. and discovers that the owner is a tenant two floors up. opens drawers and closets. just taking temporary custody of certain objects to highlight potential security concerns. the landlord has made it difficult for forensic examiners to develop a case against the thief that could be successfully prosecuted. his conscience may be pricked so that he is motivated to return any stolen property and promises not to break into any more apartments. He wasn’t really stealing anything.1 Consequences of Responses An examination of the suspicious computer. 164 CMU/SEI-2005-HB-001 . The tenant calls the landlord. The thief may now take additional measures during his next burglary to remain undetected.

CMU/SEI-2005-HB-001 165 . defense attorneys can claim that the incriminating data was planted. it does illustrate some of the problems facing system administrators when responding to a security event.While the analogy is not perfect. By jumping straight into a suspicious computer. There will also be times when it is clear that the problem can be easily fixed and forgotten. If data is not collected in a forensically sound manner. There will be times when it is clear that a forensic examiner needs to be called in. timestamps are changed and evidence in the slack space or unallocated space may be overwritten. This module is for all the times in between.

Understanding how memory is physically organized helps in understanding how the computer stores data and how that data can linger even after it has been deleted.mspx CMU/SEI-2005-HB-001 166 .microsoft.com/technet/archive/winntas/support/diskover.14 Figure 73: Sectors and Clusters 14 http://www.H a r d wa r e Con sid er a tion s Basic Building Blocks of Disk Storage • Bit: Single 1 or 0 • Byte: 8 bits • Sector: 512 bytes (smallest addressable data unit on a disk) • Cluster: 8 sectors (usually) assigned a status of allocated or unallocated © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4. Bit: A single 1 or 0 Byte: 8 bits Sector: 512 bytes (smallest addressable data unit on a disk) Cluster: 8 sectors (usually) assigned a status of allocated or unallocated Figure 73 illustrates sectors and clusters on a disk.4 Basic Building Blocks of Disk Storage This is a quick review of hardware information covered in the Module 2.

FAT32 has a 32-bit table entry).. the file allocation table (FAT) comes in three variations: FAT12. and applications affect how you examine a system FAT16 FAT32 NTFS Windows 98 2000 XP IE Outlook Ext2/3 UFS FFS Red Hat SuSE KNOPPIX Mozilla Konqueror © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4. CMU/SEI-2005-HB-001 167 .1.1 FAT One of the earlier file systems.2 NTFS The new technology file system (NTFS) uses a master file table (MFT) to keep track of information on a disk. The FAT includes an entry for each cluster on the disk except 0 and 1.e. two different files can never share a cluster. FAT16. and FAT32. Non-resident files’ names and locations are stored in the MFT. The number indicates entry size (i. it is stored in assigned clusters and called a non-resident file. but a cluster can only be allocated to one file at a time. Each entry includes pointers to the clusters that make up a file.1. a file can be stored two ways. FAT 32 is the newest variation included in Windows 95 release 2 and later [Honeynet 04]. In NTFS. 4. OS. The MFT provides greater functionality and allows for larger file sizes than the FAT.5 OS and Application Considerations 4. it can be stored in the MFT itself and is called a resident file. While clusters can be reused after a file is deleted. If the file is larger.5.1 Windows 4.5. They may span several clusters.5. If the file is small enough.OS a n d Applica tion Con sid er a tion s Hardware.

The Windows OS. For more information. The uniformity of Windows makes it easy to find certain types of information.5. and NetBSD HFS and HFS+ (Hierarchical File System) Common file systems for Macintoshes 4. generally has Microsoft’s Internet Explorer (IE) and Outlook. For this reason.thefreedictionary. 168 CMU/SEI-2005-HB-001 .2 Linux/UNIX 4. Some of the more popular ones are listed below. Because Linux systems may be highly customized. which are made up of inodes and blocks. and builds within the same flavor may even differ from each other. Reiser is one flavor of the Ext2 file system. for example.1 Ext2/3 Ext2/3 is the predominant file system for Linux. The inode tables contain information on files located in each group. Linux and UNIX developed from common ancestry and many flavors exist today. Ext3 allows for journaling in the ext file system. Open BSD. IE always keeps the cookie file in the same place (the \Documents and Settings\[user]\Cookies folder). Linux is more complicated. certain types of information are not always stored in the same place. Ext2 partitions are organized into groups. visit http://encyclopedia. you should have a good understanding of where critical files are located for all OSs on your network before a security event occurs. Linux flavors may organize information differently.4.5.com/UFS.5. • • • UFS (UNIX File System) A common UNIX file system FFS (Fast File System) A common file system for FreeBSD.3 Operating Systems Each OS and application may organize information its own way.2.

As you use the procedure. The best method to document a physical scene is to use a digital camera. 2. Establish policies that allow for admissibility of collected data. Document the scene. Below is a sample. Document reasons for beginning the examination. This could be anything from poor system performance to indications that company policy has been violated. those logs should be a part of your normal business process and not just a one-time effort. Take pictures of the computer. 3.Collectin g F or en sic E vid en ce Establish policies that allow for admissibility of collected data Collect volatile data Collect persistent data Begin chain-of-custody documentation Make working copies for analysis © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4.6 Collecting Forensic Evidence Following an established procedure has benefits. If you plan on using any logs in your investigation and subsequent prosecution. As you create the procedure. however. overlook clues in the physical world. This is particularly important in light of admissibility of computer records. Describe in the log what was connected to the computer as well as its CMU/SEI-2005-HB-001 169 . steps are done in a consistent. potential issues can be spotted and corrected before real problems occur. It can be tempting to get lost in the virtual environments of networks and hard drives when responding to a security incident. repeatable manner. it must be collected and be used in the normal course of business. One must not. In order for a computer record to receive an exception to the heresy rules. Focus especially on the peripherals and network connections. The important issue it that there is a documented reason for the investigation. high-level collection procedure: 1.

Begin initial analysis to determine if additional resources are necessary. Begin chain-of-custody documentation (original evidence and master copy) and document each step. 6. 5. b. 170 CMU/SEI-2005-HB-001 . a. Make working copies for analysis and verify their authenticity by calculating hash values. Calculate hash values of the suspicious computer’s disk/files. Collect volatile data. Was it in the middle of a busy cubicle farm or tucked away in a secluded corner? These details may be important to a forensic examiner. Collect persistent data and document each step. 4. As described in Module 3. c.environment. b. volatile data is effervescent and should be collected before nonvolatile data. Calculate the hash values of the newly created master disk/file image to verify authenticity. Perform a bit-stream duplicate image/copy. a.

If you can not remove the hard drive. boot the computer from a safe boot disk. Shutting down a system may trigger malicious software (malware) to erase evidence. like Knoppix STD or Helix. Understanding the principles behind nonvolatile data collection will assist those responding to a security event to make the decision that best fits the circumstances of the security incident. Both are loaded with the necessary forensic tools to image the suspicious drive and send it across the network to another location.1 To Shut Down or Not to Shut Down… It is accepted that the action of switching off the computer may mean that a small amount of evidence may be unrecoverable if it has not been saved to the memory but the integrity of the evidence already present will be retained [ACPO 03]. CMU/SEI-2005-HB-001 171 .6. 2. Collecting nonvolatile data is a different story. it is vital to have a response CD as described in Module 2. just pull the plug. there are two options: 1.To S h u t Down or Not S h u t Down … There are several schools of thought when presented with a suspicious computer: • Shut down the computer • Pull the plug • Examine live system Answer: IT DEPENDS © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4. Remove the hard drive and mount it read-only on a forensic examination computer. Volatile data must be collected from a live system. In a case like this. After a computer has been turned off. If you suspect that malware is present. Some computers may be running critical processes and cannot be shut down.

download dd from http://uranus.Cr ea tin g a Disk Im a ge Usin g d d dd. Following are some basic commands for dd [Grundy 04].exe.it.168.2 Creating a Disk Image Using dd There are several tools that can image a disk or partition. a small but powerful tool available for Windows and Linux.au/~jn/linux/rawwrite/dd.4 8888 © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4. most versions have dd as a native tool. The basic syntax for dd. For Windows systems. dd.exe if=/dev/hda of=image.exe if=\\.\PhysicalMemory | nc 192.exe is explained in Figure 74.disk Target file to be imaged Destination of newly created image Figure 74: dd Syntax 172 CMU/SEI-2005-HB-001 . For Linux systems.swin. We will use dd.htm.exe if=input_filename of=output_filename or dd.6.30.edu.

The partition table and boot information are on dedicated tracks. Boot Records A single hard drive can be organized into multiple partitions.1 System Files 4. Master Boot Record (MBR) The MBR is located on the first sector of the physical disk.7. Because each partition could have a different OS. these commands instruct the computer on how to read the physical disks.1. there are two types of boot records. It contains the information the computer needs to find the partition table and determine the OS. An analysis of a complete hard drive image with a forensic tool or hex editor is necessary.conf • System registry • Timestamps Modification mtime Access atime Change of status ctime Deleted time © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4.7.7 Persistent Data Types 4.P er sisten t Da ta Types: S ystem F iles • BIOS setup • BIOS setup - Master boot record Volume boot sector - Master boot record Volume boot sector • Event/system logs MAC times • Event/system logs /etc/syslog. CMU/SEI-2005-HB-001 173 . Accessing this boot code is one of the first things the computer does.1 Windows Basic Input/Output System (BIOS) Setup • • • Stored in ROM and executed when the computer boots. These tracks are not visible to the file utilities that normally access the partitions or file systems.

Event/System Logs The key to getting useful logs is to collect them before a security incident occurs.2 UNIX/Linux BIOS Setup Generally the boot sector is found in /dev/hda and the file system is found in /dev/hda1. a well developed policy pays off. A SCSI formatted drive might refer to this as /dev/sda instead. In this case.1. For example.Volume Boot Sector Each partition has a volume boot sector. Figure 75: The TypedURLs Folder 4.7. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLS provides a list of the typed URLs. 174 CMU/SEI-2005-HB-001 . System Registry Registry data is a source for users’ settings and activities. This is used to specify the file system of that partition and provide any necessary boot code needed to mount the file system.

Event/System Logs Almost any event on a Linux system can create a log entry. CMU/SEI-2005-HB-001 175 . The degree of logging depends on the configuration of the system.

*.tmp Spool File • Windows .P er sisten t Da ta Types: Tem p F iles Temporary Files *.tmp file is then deleted and becomes a part of your hard drive’s unallocated space [Kuepper 02]. When you are finished.tmp file into the original file. Figure 76: Sample Temp Folder Contents 176 CMU/SEI-2005-HB-001 .tmp) files are created by many applications.spl • UNIX/Linux . Consider Microsoft Word: When you open a document. Word creates a temporary copy of the document to record all changes./var/spool/lpd © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4. The .7. Word saves all the recorded changes from the .2 Temp Files Temp (.shd or *.

spl or . After the job is printed. contain a wealth of information about a print job.shd extension. Windows creates additional temp files during the printing process as described by Morris [Morris 03]. the owner of the file. which have an . As a job is sent to the printer. the disk space that was used by the spool file is reassigned as unallocated. the spool file is created to store the information as it waits to be printed.Another type of temp file is the spool file. “These files. but the printed file is intact until that disk space is overwritten. the printer used.” CMU/SEI-2005-HB-001 177 . and the data to be printed (or a list of the temporary files containing such data). such as the name of the file printed.

1 Windows vs. then. Before a security event occurs. Each Linux flavor.7.7.dat (a Berkeley DB file) Cookies C:\Documents and Settings \Administrator\Cookies Temporary Internet files Web cache index.P er sisten t Da ta Types: Web Ar tifa cts -1 • Internet Explorer • Netscape - Bookmarks (favorites) C:\Documents and Settings \Administrator\Favorites - Cookies URL history history.dat.3. IE default locations are included with each artifact type. build.7. Netscape stores the history in Berkeley DB file called history. The cache is stored in another Berkeley DB file. 4.3. 178 CMU/SEI-2005-HB-001 .db (a Berkeley DB file) URL history Temporary Internet files C:\Documents and Settings \Administrator\Local Settings • Registry hive HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Typed URLs © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4.3 Web Artifacts 4. In the following section.db. Linux Web artifact data storage is not as uniform in Linux as it is for IE in Windows. or browser might put the data in a slightly different place. be sure to document the locations of these files on all flavors of Linux.2 IE Default Locations Bookmarks The IE default location is C:\Documents and Settings\[user]\Favorites. index.

Figure 78: The IE Default Location for Cookies URL History The IE default location is \Documents and Settings\[user]\Local Settings\History. CMU/SEI-2005-HB-001 179 .Figure 77: The IE Default Location for Bookmarks Cookies The IE default location is \Documents and Settings\[user]\Cookies.

Figure 80: The IE Default Location for Web Cache Registry Hive The registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Typed URLs contains a record of the URLs typed into IE. However.Figure 79: The IE Default Location for URL History Temporary Internet Files/Web Cache The contents of each Web page you visit are downloaded to files. Even after these files are deleted. if a user clicks the “Clear 180 CMU/SEI-2005-HB-001 . The IE default location is \Documents and Settings\[user]\Local Settings\Temporary Internet Files. information is left in the unallocated space. those URLs may still be in the registry hive. If a user goes to the history file and deletes entries.

CMU/SEI-2005-HB-001 181 . Where you find this data depends on how the browser was installed.3. the Mozilla browser installed on my computer stores the cookies. The cookies.7. 4. history. and temp files for the Web activity performed using these other browsers are not stored in the Windows locations.slt folder. the entries in the hive will be cleared out. there are other browsers.3 Alternative Browsers Remember that though we live in a Windows universe. For instance. and cache in the C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\wq809fmw. history.History” button in the Tools > Internet Options > “General” tab of IE. cache.

7. Cookies can also be used for nefarious purposes.3. 182 CMU/SEI-2005-HB-001 . visit http://www.com/. a Web site gathers information about a visitor’s habits by placing a cookie on the user’s computer. These can be used for anything from keeping track of user’s preferred book genre in order to make better recommendations to remembering the user’s zip code so they can provide local weather reports.P er sisten t Da ta Types: Web Ar tifa cts -3 © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4.cookiecentral.4 Cookies Often. For more information on cookies and their uses. Malicious Web sites can upload malware masquerading as a cookie to a user’s computer.

P er sisten t Da ta Types: F ile Recover y
Document types
• Files • Emails

Slack space
• RAM slack • Drive slack

Swap files Unallocated space

© 2005 Carnegie Mellon University

Module 4: Collecting Persistent Data

4.7.4 File Recovery
While there are some differences, Windows and Linux file recovery is similar.

4.7.4.1 Deleted Data
There are several different ways to delete data in Windows. Files can be deleted using Windows Explorer, which is the most common method. The deleted file is put into the Recycle Bin but can be easily restored because, per Nelson [Nelson 04], Windows first “changes the name of the file and moves it to a subdirectory with a unique identity in the Recycle Bin.” Info2, the control file for the Recycle Bin, contains information about the original path and file name. Files can be deleted using the MS-DOS functions. Files can be “wiped” using a variety of special software tools. Remember from Module 2 that wiping is different than deleting because clusters where the data was stored are written over to prevent their recovery from slack or unallocated space. Deleting a file, however, does not remove its short cut from the Recent Files list. These files, which are not available through normal means, are available through a forensic examination of the slack or unallocated space. Not all flavors of Linux make use of a Recycle bin the way Windows does. When deleted on a UNIX system, Casey [Casey 00] says “the file’s directory entry is hidden from view and the
CMU/SEI-2005-HB-001 183

system notes that the associated inode is available for reuse. The file’s directory entry, inode, and data remain on the disk until they are overwritten.”

4.7.4.2 Slack Space
Logical file size: Actual size of the file Physical file size: Amount of space a file takes up on the disk, given in whole number of clusters Sector slack: Left over capacity in a sector, filled with data held in the RAM Drive slack: Excess capacity in a cluster, empty or filled with whatever was previously stored in that series of consecutive sectors

4.7.4.3 Swap Files
Windows swap files can be temporary or permanent, depending on which Microsoft OS you have. In Windows 95, 98, and Me, the temporary swap file expands and contracts depending on how much space it needs. To run multiple programs simultaneously with limited RAM, Windows uses this swap file to expand the computer’s RAM. Windows swaps an application’s data to and from the swap file as needed, based on what is actively running. Because this file contains application data, there could be almost any type of data in it: passwords, complete or partial documents, email, credit card numbers, images, and so on. In Windows NT, 2000, and XP, the permanent swap file does not expand and contract. By default, Windows 2000 sets the swap size to the amount of RAM * 1.5. As a side note, there is a local security policy setting under Start > Programs > Administrative Tools > Local Security Policies > Local Policies > Security Options that allows you to set Windows to “Clear virtual memory page when Windows shuts down” [Kuepper 02].

4.7.4.4 Unallocated Space
Unallocated space are portions of the drive that are not actively assigned data.

4.7.4.5 Partial Files
At times, the file system begins writing a file to a disk or partition and does not realize that the target space can not contain the entire file until it has filled all the available space. This generally results in an error and a request that the user clear some space. Partial files do not show up in the directory but remain in unallocated space until they are overwritten.

184

CMU/SEI-2005-HB-001

4.7.4.6 Windows Artifacts
Windows artifacts, which are created by the Windows OS, are important for forensic examiners as they attempt to recreate a user’s activities—partly because the artifacts are often overlooked by users or intruders as they attempt to cover their tracks. They include files used as shortcuts to applications, files, or devices, or certain files created by the OS. Examples are the .lnk files created in the Windows Desktop, Recent, Send To, and Start menu folders. Examine these artifacts to uncover files, folders, applications, or devices that are no longer on the system. For example, a forensic examiner may discover links to files that have been deleted and are no longer recoverable or that were stored on a network drive. Links to other storage devices (i.e., Zip or Jazz drive) may indicate that other media need to be located and analyzed [Morris 03].

CMU/SEI-2005-HB-001

185

P er sisten t Da ta Types: H id d en F iles
From Windows, click Tools > Folder Options, select the “View” tab, and then select the “Show hidden files and folders” option.

© 2005 Carnegie Mellon University

Module 4: Collecting Persistent Data

4.7.5 Hidden Files
Files can be assigned an attribute so that they will not be displayed with normal file system viewing methods (i.e., Windows Explorer and the DOS dir command ). Files may be marked as hidden to protect files from being corrupted by casual users or to hide illicit data or activities. To view hidden files with Windows Explorer, go to Tools > Folder Options, click the “View” tab, and select the Show Hidden files option.

186

CMU/SEI-2005-HB-001

Recover in g a Deleted E m a il

• .pst files C:\DocumentsandSettings\ Administrator\ LocalSettings\ApplicationData \Microsoft\Outlook

• Incoming

-/var/spool/mail
• Outgoing

-/var/spool/mqueue/mail

© 2005 Carnegie Mellon University

Module 4: Collecting Persistent Data

4.8

Recovering a Deleted Email

Windows Outlook emails are .pst files. Their default location is \Documents and Settings\[user]\Local Settings\Application Data\Microsoft\Outlook.

Figure 81: The Default Location for Outlook Email Files Because the .pst files are in a proprietary Windows format, they are more easily viewed with Outlook or Outlook Express. To view them, copy the .pst files from the suspicious computer to another computer with Outlook.

CMU/SEI-2005-HB-001

187

Tools for Accessin g P er sisten t Da ta

• Command line tools

• Command line tools

-

Netcat Cryptocat

-

Sleuth Kit

• GUI-based utilities
Autopsy Forensic Browser

• GUI-based utilities
Windows Explorer

• Commercial • Freeware

• Commercial
EnCase FTK Explorer

• Freeware

-

The Coroner's Toolkit Sleuth Kit KNOPPIX STD

© 2005 Carnegie Mellon University

Module 4: Collecting Persistent Data

4.9

Tools for Accessing Persistent Data

There is a lot of overlap in the forensic tool market. The most important quality to look for is usability. If the tool works for you and it meets admissibility standards, select it. Command-line tools are generally small and portable. They fit easily onto a floppy disk or CD-ROM and if packaged correctly can be used safely on a live suspicious computer. Commercial tools are more polished and often more steamlined. They perform the same tasks as the freeware tools, but what might take 13 steps with a free product will only take two steps with a commercial product. What follows is a small sample of the forensic tools available.

4.9.1 Windows
4.9.1.1 Command-Line Tools
• • Netcat dd Download this tool from http://uranus.it.swin.edu.au/~jn/linux/rawwrite/dd.htm.

4.9.1.2 GUI-Based Utilities

188

Windows Explorer
CMU/SEI-2005-HB-001

For more details.1 Command-Line Tools • Netcat Netcat is a networking utility that reads and writes data across network connections using the TCP/IP protocol. visit http://www. visit http://netcat.shtm.1. • FTK (Forensic Tool Kit) FTK is an all-in-one collection and examination tool.org/autopsy 4. The Sleuth Kit and Autopsy provide many of the same features as commercial digital forensics tools for the analysis of Windows and UNIX file systems (NTFS. ext2. visit http://www.3 Freeware • The Sleuth Kit The Sleuth Kit (previously known as TASK) is a collection of UNIX-based commandline file system and media management forensic analysis tools.2 GUI-Based Utilities • Autopsy Forensic Browser The Autopsy Forensic Browser is a graphical interface to the command-line digital forensic analysis tool.2. Most versions of Linux have dd as a native tool. The Sleuth Kit.2. 4.net.9. FAT. The file system tools CMU/SEI-2005-HB-001 189 . • dd This tools creates drive or partition images.2 UNIX/Linux 4. FFS.com/products/index.9.2. 4. A version of this tool has also been developed for Windows.9. For more details.sleuthkit. For more details.9.com/Product04_Overview. and ext3).9. For more details. 4.accessdata.htm?ProductNum=04. Together.guidancesoftware.sourceforge.3 Commercial • EnCase EnCase is a full service tool that handles acquisition and analysis of volatile and nonvolatile data. It allows you to navigate through the file systems of a mounted image drive.Explorer is native to the Windows OS. visit http://www.

allow you to examine a suspicious computer in a non-intrusive fashion. STD focuses on information security and network management tools.php. For more details. Boot to the CD and you have Knoppix-STD. 190 CMU/SEI-2005-HB-001 . • Knoppix STD Knoppix-STD is a customized distribution of the Knoppix Live Linux CD. • The Coroner’s Toolkit The Coroner’ Toolkit (TCT) is a collection of tools that gather and analyze data on a UNIX.com/tct. For more details.sleuthkit. unrm and lazarus are part of the toolkit and can be used to restore deleted files and data that cannot be easily accessed.knoppix-std. For more details. visit http://www. visit http://www.fish. deleted and hidden content is shown. Because the tools do not rely on the OS to process the file systems. visit http://www.org/sleuthkit/desc.org.

Each OS will handle data differently.10 Summary It is important to remember at least four points from this module: 1. There will be enough aggravation even with proper preparation. Improper collection techniques cause corruption. Performing an ad hoc investigation leads to unnecessary aggravation. 4. Establish procedures before you need to use them. Each OS will handle data differently.Summary Persistent data survives after the power is turned off. © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4. Persistent data survives after the power is turned off. CMU/SEI-2005-HB-001 191 . 2. so be familiar with the computers on your network. Establish procedures before you need them. Improper collection techniques cause corruption. 3. “Primum non nocere” or “First do no harm” could be the dictum when collecting persistent data.

3. Persistent (or nonvolatile) data retains its state after the power has been turned off. 2. but circumstances dictate the appropriate course of action. The computer should not necessarily be shut down before collecting nonvolatile data. Compromised persistent data can result from just about any action taken on the host computer. 4. It is always easier to collect persistent data from a dead hard drive mounted on a forensic workstation. emails. 4. List the basic steps of collecting forensically sound data. (3) image the suspicious computer’s hard drive. registry hives. 5. Browsing the Web. and recent document shortcuts. (4) establish the integrity of the image using a MD5 hash. Web history. (2) document steps taken. and even creating new files can compromise persistent data. (5) perform any analysis of working copies. Types of persistent data include deleted files. List three types of persistent data. Should the computer be shut down before collecting nonvolatile data? 5. How can persistent data be compromised? 3.11 Review 1. recycle bin. MAC times.Review 1. Sometimes a computer must be left on. cookies. opening files. Steps for collecting forensically sound data include (1) have a pre-established procedure in place. In these cases there is nothing to do but collect from the live computer. 192 CMU/SEI-2005-HB-001 . © 2005 Carnegie Mellon University Module 4: Collecting Persistent Data 4. What is persistent data? 2.

Digital Evidence and Computer Crime. Sebastopol. University of WisconsinMadison. What is Netcat? http://netcat.htm (2004). 2004 (ISBN 0-321-20098-5). Eoghan. Impact of the McCain-Kerrey Bill on Constitutional Privacy Rights. [Barrett 04] [Brezinski 02] [CAE 04] [Carvey 04] [Casey 00] [CDT 04] [GNU 04] [Grundy 04] [Haas 04] CMU/SEI-2005-HB-001 193 .0. [ACPO 03] Association of Chief Police Officers (ACPO).sourceforge. The GNU Netcat Project.com/linuxintro-LEFE-2. http://www. Carvey. Casey. CA: Academic Press. Ver 2. http://www.References URLs are valid as of the publication date of this document.com/library/cmd/blcmdl8_chkconfig. Harlan. Second Edition. Daniel J.co. Computer-Aided Engineering Center.5. MA: Addison-Wesley.org/rfc/ rfc3227. CA: O’Reilly. The Law Enforcement and Forensic Examiner Introduction to Linux: A Beginner’s Guide. http://linux. http://www. Barry J.cae.about. Juergen. San Diego.0.linux-forensics. Guidelines for Evidence Collection and Archiving (Network Working Group RFC 3227).pdf (2004).edu/fsg/linux/linux-filepermissions.txt (2002). Good Practice Guide for Computer based Electronic Evidence. College of Engineering. http://www.il/ Lea92.html (2004). Brezinski.shtml (2004). http://www. Linux Pocket Guide. Center for Democracy and Technology. 2004. 2000 (ISBN 0-121-62885X). Boston.5.net (2004).org/crypto/ legis_105/mccain_kerrey/const_impact.htm (2003). Linux / Unix Command: checkconfig. Grundy.4law. Barrett. Linux File Permissions Overview.ietf.cdt. Windows Forensics and Incident Recovery.wisc. D. Haas.

gov/usao/eousa/foia_reading_room/usab4902. Chris. 3rd Edition. Forensics on the Windows Platform. Microsoft. Know Your Enemy: Learning About Security Threats. http://www. Incident Response: Investigating Computer Crime.microsoft.[Honeynet 04] The Honeynet Project. Bill. Guide to Computer Forensics and Investigations. Boston. FAT File System Technology and Patent License. Part Two. MA: Thomson Course Technology.pdf Kuepper.com/infocus/1665 (2003). Inc.com/mscorp/ip/tech/fat. MA: Pearson Education. www. What You Don’t See on Your Hard Drive. http://web. FAT File System: The Story Behind the Innovation. Kevin & Prosise.” USA Bulletin 49.php (2002).org/rr/whitepapers/incident/653.ichnet. Second Edition. Microsoft® Windows® XP Professional Resource Documentation Kit.pdf (2004). National Institute of Justice. http://www. Interoperability Clearinghouse Glossary of Terms. Jamie. 2004 (ISBN 0-61913120-9).com/mscorp/ip/tech/fathist. MIT researchers uncover mountains of private data on discarded computers.sans.asp (2003).ncjrs. Boston.html (2003). Brian.org/pdffiles1/nij/199408. Forensic Examination of Digital Evidence: A Guide for Law Enforcement. Nemeth.org/glossary.mit. Upper Saddle River. Mandia. http://www. Microsoft. http://www. NJ: Prentice Hall PTR. 2001 (ISBN 0-13020601-6).edu/newsoffice/2003/diskdrives. “Computer Records and the Federal Rules of Evidence. Nelson. CA: Osborne/McGraw-Hill. 2001. Kerr.securityfocus.. http://www. Berkeley.microsoft.htm (2003). UNIX System Administration Handbook.asp (2003).microsoft. ICH Architecture Resource Center. http://www. CMU/SEI-2005-HB-001 [ICH 03] [Kerr 01] [Kuepper 02] [Mandia 01] [Microsoft 03a] [Microsoft 03b] [Microsoft 04] [MIT 03] [Morris 03] [Nelson 04] [Nemeth 01] [NIJ 04] 194 . Evi. Morris. Massachusetts Institute of Technology. 2004 (ISBN 0-321-16646-9). 2 (March 2001): 25-32. Microsoft.usdoj.com/resources/documentation/ Windows/XP/all/reskit/en-us (2004). http://www. Orin S.

Sorenson. PsFile.nist. Inc. Incident Response Tools For Unix.com/ntw2k/ freeware/handle. Mark.com/ntw2k/ freeware/psservice.com/define. Holt. Bryce. http://www. Pierce.html (2003).giac.forensics-intl.cftt.shtml (2003).shtml (2004). Russinovich. Mark.sysinternals.org/practical/GSEC/Matt_Pierce_GSEC.shtml (2000). National Institute of Standards and Technology.microsoft. Russinovich.shtml (2004). ListDDLs. Computer Forensics Definitions. Part One: System Tools.mspx (1997). Autoruns. CFTT Metholology Overview.sysinternals.shtml (2001).htm (2003). Inside the Registry. Paul. http://www. Russinovich.shtml (2004). Mark.pjrc.sysinternals.com/ntw2k/ freeware/psinfo.nist. [NIST 03] [NTI 03] [Pierce 03] [Russinovich 97] [Russinovich 00] [Russinovich 01] [Russinovich 03] [Russinovich 04a] [Russinovich 04b] [Russinovich 04c] [Russinovich 04d] [Sorenson 03] [Stoffregen 03] CMU/SEI-2005-HB-001 195 .html (2003). Mark. http://csrc.com/tech/8051/ide/fat32. Russinovich.securityfocus. http://www.com/ ntw2k/freeware/listdlls. PsInfo. http://www. Understanding FAT32 Filesystems. Handle. Mark & Cogswell.com/infocus/1679 (2003). http://www. PsService. http://www. Stoffregen. http://www. Mark. http://www. http://www. Establishing a Computer Security Incident Response Capability. New Technologies. http://www. Detailed Forensic Procedure for Laptop Computers. Mark.com/technet/prodtechnol/winntas/tips/ winntmag/inreg. Mark. Russinovich. Russinovich.gov/publications/nistpubs/800-3/800-3. Filemon for Windows.com/ntw2k/source/filemon.[NIST 01] Wack.com/ntw2k/freeware/autoruns. Matt.gov/Methodology_Overview.pdf (2003).sysinternals. Russinovich. http://www.com/ ntw2k/freeware/psfile.pdf (2001).sysinternals. http://www.sysinternals. John P.sysinternals. http://www.shtml (2004). Russinovich.

) http://www. Vidstrom. Wheeler.[SystemTools 04] SystemTools.com (2004). (Click Free Tools.cybercrime. http://www. United States Department of Justice. http://www. David A.com/ howtos/Program-Library-HOWTO/index.ntsecurity.shtml (2003).com/ l/li/library_computer_science_html (2004).nu/ toolbox/macmatch (2004).htm (2002).com.gov/s&smanual2002.liutilities.com/ products/wintaskspro/processlibrary (2004). http://www. http://www. [Uniblue 04] [USDOJ 02] [Vidstrom 04] [Wheeler 03] [Wikipedia 04] 196 CMU/SEI-2005-HB-001 . NETSECURITY.NU.somarsoft. Wikipedia’s Library (computer science). WinTasks Process Library. Arne. SomarSoft Utilities. Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. Program Library HOWTO.linux. Uniblue.factindex. http://www.

VA 22202-4302. SECURITY CLASSIFICATION OF THIS PAGE 19. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) PERFORMING ORGANIZATION REPORT NUMBER 10. Arlington. DC 20503. gathering and maintaining the data needed. 2-89) Prescribed by ANSI Std. including the time for reviewing instructions. Z39-18 298-102 . to Washington Headquarters Services. 5. 0704-0188 Public reporting burden for this collection of information is estimated to average 1 hour per response. LIMITATION OF ABSTRACT Unclassified NSN 7540-01-280-5500 Unclassified Unclassified UL Standard Form 298 (Rev. searching existing data sources. SECURITY CLASSIFICATION OF ABSTRACT 20. AGENCY USE ONLY Form Approved OMB No. NUMBER OF PAGES 18. and completing and reviewing the collection of information. Software Engineering Institute Carnegie Mellon University Pittsburgh. 4. MA 01731-2116 11. PRICE CODE 17. and to the Office of Management and Budget. Paperwork Reduction Project (0704-0188). 6.REPORT DOCUMENTATION PAGE 1. ABSTRACT (MAXIMUM 200 WORDS) 215 14. NTIS 13. Washington. DTIC. SUBJECT TERMS 16. 2. 1215 Jefferson Davis Highway. including suggestions for reducing this burden. REPORT DATE 3. Directorate for information Operations and Reports. SPONSORING/MONITORING AGENCY REPORT NUMBER HQ ESC/XPK 5 Eglin Street Hanscom AFB. SUPPLEMENTARY NOTES 12A DISTRIBUTION/AVAILABILITY STATEMENT 12B DISTRIBUTION CODE Unclassified/Unlimited. SECURITY CLASSIFICATION OF REPORT 15. PA 15213 9. 7. Suite 1204. Send comments regarding this burden estimate or any other aspect of this collection of information. REPORT TYPE AND DATES COVERED (Leave Blank) TITLE AND SUBTITLE Final FUNDING NUMBERS F19628-00-C-0003 AUTHOR(S) PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8.

Sign up to vote on this title
UsefulNot useful